Uniform CSRF token always invalid – Token & Session are correct

I’m using the Uniform plugin for Kirby (latest version) and my contact form always fails with the error:
“The CSRF token was invalid.”

What I’ve checked so far:

• The form includes <input type="hidden" name="uniform-token" value="<?= csrf() ?>">

• Only one Uniform form is on the page

• The session cookie (kirby_session/PHPSESSID) stays the same from page load to POST

• The CSRF token value in the form and the POST request matches

• The Uniform form is created once per request in the controller and passed into the snippet

• No new Form() in the snippet

• 'cache.pages.active' => false and 'session.mode' => 'kirby' are set in config.php

• /site/cache/ and /site/sessions/ are empty/cleared

• Tested in different browsers and private tabs

• Uniform is up to date

What happens:

• Submitting the form always triggers “The CSRF token was invalid.”

• I verified in DevTools that the token and session cookies are correctly submitted

Question:

I am absolutely stumped and stuck. Pretty sure its something absolutely obvious. @mzur do you have any ideas?

Any help or pointers appreciated!

Wait, why are you setting this field manually, instead of using the csrf_field() helper method? I think the name you gave the field ( uniform-token, where does this come from?) and the default csrf field name differ. Unless you redefined it somewhere.

Make sure to follow the documentation of the plugin.

good point - I was trying to work around issues but went down the wrong path, I used the csrf_field() now and at least the csrf token invalid issue doesn’t persist any longer. Still working on getting the form to send an actual email though.

Thanks for now!