I don't know much about CSRF Tokens myself, having only studied the subject for a total of 5 minutes.But it sounds to me that this behavior is by design, especially if there is still an active token associated with https and the user attempts an encrypted connection (by default tokens last for 24 hours).The only things I can think of to try to mitigate your issue would be toa) stick to https connections, if possibleb) dedicate one browser to https and another to http (or use one browser but in regular and private / incognito modes)c) lower the `SESSION_TTL` (although this would probably lead to other undesirable consequences)I imagine you must have a good reason for running both http and https, but if not I'd highly encourage you to think about a).My other two suggestions aren't elegant at all. Hopefully someone else will have a better solution.