Panel keeps logging me out

I’ve updated to latest panel, kirby and toolkit version. (2.2.2)
But Panel seems to log me out at most unreasonable times, I save a page, try to edit again, and I’m returned to the login page of the panel.
Or I try to navigate within the panel, when I’m suddenly directed to the login page again.

Are you using csrf() anywhere on the front end?

I’ve built custom forms and use the csrf() function for tokens, but if I have a panel edit page open, then view my custom form, the session’s token is replaced with my custom form’s token, therefore invalidating the panel’s edit form, which results in kicking me out of the panel.

Nope, not using csrf() anywhere

This is really weird. Could you please send me a message with some more details? I might need to have a closer look at your installation:

Hi @bastianallgeier and @tnViking … I’m getting this problem a lot.

Sometimes it stays logged for a minute, sometimes the login doesn’t even happens… pretty random thou.

I did some testing in several different connections, in the coworking place I use to hangout the local network have several internet providers and a load balance hardware to join them in one single access point. It’s almost impossible to use the panel there.

At home on ADSL or using my mobile phone’s 4g the panel stays logged normally.

Is there any check or something to turn off that makes it work?

BTW… I’m using Dreamhost… any previous experience or issues in this regards with them?

Dev tools console spits out the following when I’m logged in:

Refused to execute script from 'http://localhost/panel/plugins/js?v=2.2.3' 
because its MIME type ('text/html') is not executable, 
and strict MIME type checking is enabled. 


[edit] Also sometimes the console shows:

Uncaught SyntaxError: Unexpected token <

Could you please send me an email. It would be perfect if I could run some tests on my own:

Email sent! :thumbsup:

Hm, I’m having some very odd problems with this on a site as well! It didn’t happen at all when I was developing locally, but my client has been experiencing frequent log outs both on the staging site and on the live site (TSOhost). I haven’t done enough digging yet to see if I’m experiencing the same errors as @rhawbert, I’ll take a look at that next.

Any tips about what might be going on in the meantime?

After getting some help form @bastianallgeier whom instructed me to turn off some off the CSRF from the core altogether… I ended up partially disabling it in the file: kirby/toolkit/lib/s.php.

I edited the line 113 from:

return sha1($_SERVER['HTTP_USER_AGENT'] . (ip2long($_SERVER['REMOTE_ADDR']) & ip2long('')));      


return sha1($_SERVER['HTTP_USER_AGENT']);      

If I disabled the whole thing, replacing lines 111 to 117 by this:

public static function fingerprint() { 
  return ''; 

Then I’d get a kind of “cross-login”, when two different users are logged from different locations/ip’s and one of the users get the wrong session and appear to logged as the other one.

I’m using the former solution so far without problems (using dreamhost).

1 Like

I did a fix on that in the toolkt pull #146. Could you try that, and see if it works?
I haven’t had this issue for a while, so I’m not sure how to check it.
It’s been commited to the dev branch of toolkit, so I guess It’ll be in a future release

You might want to check that $_SERVER['REMOTE_ADDR'] is set to the actual client IP in your hosting setup,

I got the same problem when hosting this in GCP k8s, because REMOTE_ADDR will be an ip to a proxy, and not the client ip, and it changes between requests. So I get logged out when that happens.

I’m having the same issues and I can’t figure out whats going on.

For my current projects panel (latest Kirby):
On my localhost I never get logged out.
On the development server I never get logged out.

On the same development server the client, at some days, gets logged out constantly and at some days not.
(she tried various browsers and two different computers, reboots and everything)

It happens with or without the return sha1($_SERVER[‘HTTP_USER_AGENT’]); change.

(On other projects, I basically never get logged out and my collegae does sometimes when we work together on the same site)

Very frustrating because I just can’t understand why :slight_smile:

Anyone have another idea?


What’s about the cookies in the browsers of the users?
Are they allowed?
Or deleted by an Add-On?

Kirby gives users normaly a session cookie!

Started to get this issue again, when I started using nginx and php-fpm on my mac.
Each time I edit a file, I am logged out of the panel. Any clues why?

When that happends to me, it’s always that I get a new IP. Really frustrating when trying to save all the work and just got logged out.

I think it’s a major problem and I hope to see persistent cookies to prevent this behavior every time the IP is changed.

I don’t get a new IP, I’ve got a static IP from my ISP and static internal IP. So nothing here should change my IP.

I see it happens when I use browsersync.
I proxy on port 3000, and it reloads on each save file.
But I am logged in on

But if I’m logged in on, it does not log me out.
So it might be something that the browsersync proxy messes up the session/ cookies.

1 Like

I just published a change on the develop branch of the toolkit, which will make it possible to create your own session fingerprint.


s::$fingerprint = function() {
  return 'some fingerprint';

In scenarios, where IP or user agent based session fingerprints won’t work, you can avoid problems that way.