Cannot login (No _CSRFToken exists in session)

Hi Djulia, 

Is this happening on 2.65? 

In /lib/common.php you can log what's happening by adding this code in security_dieOnInvalidCsrfToken()

function security_dieOnInvalidCsrfToken() {

  ### Validate for CSRF Token
  $errors = ''; 
  $token = @$_POST['_CSRFToken'];
  if     (array_key_exists('_CSRFToken', $_GET))      { $errors .= t("Security Error: _CSRFToken is not allow in GET urls, try using POST instead.") . "\n"; }  
  elseif (!array_key_exists('_CSRFToken', $_SESSION)) { $errors .= t("Security Error: No _CSRFToken exists in session.  Try reloading previous page.") . "\n"; }  
  elseif ($token == '')                               { $errors .= t("Security Error: No _CSRFToken value was submitted.") . "\n";  }  
  elseif ($token != $_SESSION['_CSRFToken'])          { $errors .= t("Security Error: Invalid _CSRFToken.") . "\n"; }  
  // 
  if ($errors) {
    @trigger_error($errors, E_USER_NOTICE);
    die($errors);
  }
}

My guess is that the server is erasing your session files after a period of time.  But I'd like to know what the value of $token and $_SESSION['_CSRFToken'] is when you get that error.

If you add the logging you'll be able to record when anyone gets that error.  (And if you need to ensure it doesn't happen just comment out the die temporarily).

Hope that helps!  Let me know what you find out.  Thanks!