Panel: invalid csrf token

Hi everyone,

since we have been working with more than 3 people in the panel (different acounts), we have all received the message invalid csrf token after the session is invalid. Relogin is not possible than. After shift reload → deleting the session cookie, we are able to login again.

How to fix that permanently?

Kirby Version


If I understand correctly, you can login and work in the Panel without issues most of the time but sometimes run into this invalid session issue? Or all the time and you cannot really use the Panel?

Hi @pixelijn,

everytime the session is invalid we are getting this message and have to delete the cookie (shift reload). After that we can login as ususal. If the message pops up it is not possible to login with the correct login data.


Hm, maybe it would already help to set the session time to a longer period? But the question is why the cookie is not deleted if the session is no longer valid. Have you tried with another browser?

i’ll try and come back to you later…

firefox seems to work, maybe chrome only and the new chrome edge

hmm maybe it’s not only the cookie. i can delete the cookie (kirby_session) via browser console (chrome) → press login → message comes up. shift reload → press login → works.

  1. code: 400
  2. details: []
  3. key: “error.invalidArgument”
  4. message: “Invalid CSRF token”
  5. status: “error”

Do you use a page cache like Varnish or caching rules in the web server config (e.g. in .htaccess)?

yes in htaccess…

Please ensure that URLs starting with /api and /panel are not cached. The issues you describe are likely caused by this.

I’m sorry for piggybacking on this thread but I’m getting the invalid token message if the system logs me out automatically after being inactive for some time. I have to reload the login page (simple reload suffices) before I can log in again. This seems unnecessary to me. I don’t think that I have any specific caching rules set up; this is on my local server.

To add to this I experienced the same. About 1 out of 10 logins did not work on a clients project. Reloading the page, I am able to log in again without disturbance.
I do not have access to that server at the moment so I can not give more information on that. I never touched the .htaccess.
Localhost works fine.