POST via Ajax returns 403 with CSRF enabled

When using csrf, a unique token is automatically regenerated for each page update (for HTML), but not for AJAX (as the page isn’t updated)... having a brief glance at your code, it does look like you’re passing the token correctly and also for every reply to the server, which may point to your reply being rejected AFTER the first use of the token (do you perhaps find you get one AJAX submission in, then it goes pear-shaped from the second one (?)).

From a comment in your code, you seem aware of one way around this being to set $CSRFRegenerate=FALSE in App.php, which will keep a single csrf token valid for the whole browser session (likely not quite as secure as having a new one generated each time... though it is an easy fix for the AJAX submission problem, and also when using the browser's navigate back button)… so as an initial suggestion, I’d suggest changing and leaving $CSRFRegenerate set to FALSE, which  would make it easier to get working initially (which then you could change later, if required).

As an aside, having been burnt a few times with trailing spaces in names and values, and although it probably is of no consequence here, as I'm paranoid, I’d normally encode:

Code:

name="<?= csrf_token() ?>" value="<?= csrf_hash() ?>" id="msg_csrf"/>

as:

Code:

name="<?=csrf_token();?>" value="<?=csrf_hash();?>" id="msg_csrf"/> <!-- semicolon added to be pedantically correct -->

Thank you Gary,

Note that:
- There is only one submission
- Yep, I'm aware of CSRFRegenerate, but the issue persists while setting it to false as well
- The semicolon didn't make a difference

Any other ideas? Might it be a bug?  I think you should be able to reproduce this issue with all the details that I've shared initially