CSRF token mismatch errors after form submission — how to resolve?

CSRF mismatches in CI4 Shield apps usually come from one of three causes: 1. **Token name mismatch.** CI Wiz-generated apps use a dynamic CSRF token name from `app/Config/Security.php`. The JS in `defaultLayout.php` initializes it as `var v = ''` and the AJAX helper reads it by that variable. If you changed `tokenName` in config after generating the app, the JS variable name and the PHP-side name are out of sync. Fix: regenerate the layout or update the JS manually. 2. **`regenerate = true` in Security config with SPA-style AJAX.** If `security.regenerate` is `true`, the token changes after every validated request. For AJAX-heavy pages, the second request fails because the JS still holds the old token. The generated app sets `regenerate = false` intentionally — do not change it to `true` without adding token-refresh logic in your AJAX response handler (the `yeniden()` function in the base layout handles this). 3. **Session driver issue.** If sessions are not persisting correctly (wrong `sessionSavePath`, file permissions on `writable/session/`, or a misconfigured Redis/database session), the CSRF token cannot be validated. Check that sessions are working at all by testing a simple session write/read.