Denied because it had an invalid security token

I use only CB Login module to log in.  Client is complaining she is seeing this error more often now (at Joomla! 4.4.10 now)

'UE_SESSION_EXPIRED'    =>    'The most recent request was denied because it had an invalid security token. Please go back or refresh the page and try again.',

I saw the recent post about this. I am already using session database handling and timeout of 240 minutes.

I suspect her Ipad/Iphone are using some aggressive caching to display old versions of a page when her login state hsa changed. No idea what to do about that.

Longstanding problem is those Apple products seem to log her out randomly after a few minutes -  far short of 4 hours!  She says she chooses "Remember Me" on login but the cookies just spontaneously disappear...  I have your behavior.keepalive running on every page but makes no difference for her.

One difference in my setup is I have made multiple "custom login pages" (all CB Login modules)  which log in in to separate CB GJ groups. I hacked JF Mobile Bar to give me a popup select list of these custom login pages, and she sees the above error randomly clicking on the list to go to those pages.


 

Our CSRF and form token are entirely handled by Joomla now. The error output does come from CB, but the token checks are all Joomla API. Often the culprit of this issue is caching. Specifically page caching. You can't use Joomla's page caching if you're going to have a dynamic frontend as it'll cache form tokens. Within System > Plugins unpublish the page caching plugin or configure it to exclude any pages with a form on it.

OK, I had already excluded the root URL and /cb-login - places I thought people would log in from. However she says she sees the error when clicking on the link to go to the custom login pages.  I am guessing the error happens as it renders that page. So I need to exclude all those too from plugin caching?