Panel: invalid csrf token

Hi everyone,

since we have been working with more than 3 people in the panel (different acounts), we have all received the message invalid csrf token after the session is invalid. Relogin is not possible than. After shift reload → deleting the session cookie, we are able to login again.

How to fix that permanently?

Kirby Version


If I understand correctly, you can login and work in the Panel without issues most of the time but sometimes run into this invalid session issue? Or all the time and you cannot really use the Panel?

Hi @pixelijn,

everytime the session is invalid we are getting this message and have to delete the cookie (shift reload). After that we can login as ususal. If the message pops up it is not possible to login with the correct login data.


Hm, maybe it would already help to set the session time to a longer period? But the question is why the cookie is not deleted if the session is no longer valid. Have you tried with another browser?

i’ll try and come back to you later…

firefox seems to work, maybe chrome only and the new chrome edge

hmm maybe it’s not only the cookie. i can delete the cookie (kirby_session) via browser console (chrome) → press login → message comes up. shift reload → press login → works.

  1. code: 400
  2. details: []
  3. key: “error.invalidArgument”
  4. message: “Invalid CSRF token”
  5. status: “error”

Do you use a page cache like Varnish or caching rules in the web server config (e.g. in .htaccess)?

yes in htaccess…

Please ensure that URLs starting with /api and /panel are not cached. The issues you describe are likely caused by this.