Panel: invalid csrf token

peterp · August 10, 2021, 9:19am

Hi everyone,

since we have been working with more than 3 people in the panel (different acounts), we have all received the message invalid csrf token after the session is invalid. Relogin is not possible than. After shift reload → deleting the session cookie, we are able to login again.

How to fix that permanently?

Kirby Version 3.5.7.1

thx

pixelijn · August 10, 2021, 11:42am

If I understand correctly, you can login and work in the Panel without issues most of the time but sometimes run into this invalid session issue? Or all the time and you cannot really use the Panel?

peterp · August 10, 2021, 12:05pm

Hi @pixelijn,

everytime the session is invalid we are getting this message and have to delete the cookie (shift reload). After that we can login as ususal. If the message pops up it is not possible to login with the correct login data.

kr

pixelijn · August 10, 2021, 12:40pm

Hm, maybe it would already help to set the session time to a longer period? But the question is why the cookie is not deleted if the session is no longer valid. Have you tried with another browser?

peterp · August 10, 2021, 1:15pm

i’ll try and come back to you later…

firefox seems to work, maybe chrome only and the new chrome edge

peterp · August 10, 2021, 1:29pm

hmm maybe it’s not only the cookie. i can delete the cookie (kirby_session) via browser console (chrome) → press login → message comes up. shift reload → press login → works.

code: 400
details: []
key: “error.invalidArgument”
message: “Invalid CSRF token”
status: “error”

lukasbestle · August 11, 2021, 7:13am

Do you use a page cache like Varnish or caching rules in the web server config (e.g. in .htaccess)?

peterp · August 11, 2021, 11:36am

yes in htaccess…

lukasbestle · August 11, 2021, 1:40pm

Please ensure that URLs starting with /api and /panel are not cached. The issues you describe are likely caused by this.

VIPStephan · November 3, 2022, 7:20pm

I’m sorry for piggybacking on this thread but I’m getting the invalid token message if the system logs me out automatically after being inactive for some time. I have to reload the login page (simple reload suffices) before I can log in again. This seems unnecessary to me. I don’t think that I have any specific caching rules set up; this is on my local server.

Urtica · November 4, 2022, 6:35am

To add to this I experienced the same. About 1 out of 10 logins did not work on a clients project. Reloading the page, I am able to log in again without disturbance.
I do not have access to that server at the moment so I can not give more information on that. I never touched the .htaccess.
Localhost works fine.