One of the most common emails I get when new clients start using Kirby is something like this:
“Site is broken, I’ve been logged out and can’t login again”
I would say that 100% of the time its due to the CSRF token being expired. As “Invalid CSRF token” doesn’t say anything to most people I would suggest an additon to the error text, something like “Invalid CSRF token, try reloading the page”, or have the same text as before and add a “reload page” button.