[mfox]

Interesting news on this: I increased the logging level to 4 (everything), and that didn't help much (apart from "CSRF cookie sent" there was no useful info there. But along the way, I accidentally found out that if I try to login, hit the error, go to the login screen again and logged in, it worked! I then repeated the process two more times on Edge, and once o IE.

I'm not sure what this means yet, but now I'm definitely convinced it's browser-related. It almost sounds like Edge and IE are caching the CSRF tokens from a previous login or something. Any ideas?

[InsiteFX]

Did you use the Developer tools F12 and check the console and network tabs?

It should show you whats going on.

[mfox]

Well as I said before, I tried the network tab, and the only new info I got was the response code (403 Forbidden), and that doesn't really help much (I never explicitly set that header in my code, so again the code that causes this seems to come from CI itself). I did not check the JavaScript console, because there is no JavaScript on the page. I did check to make sure that the hidden input field with the CSRF token was there (it was) but it's just a simple HTML form (no AJAX calls or anything that would print to the JS console).

[php_rocs]

@mfox,

Have you tried regenerating the CSRF for every submission.
Changing the config parameter... $config['csrf_regenerate'] = TRUE;