[BUG] PWA cache causes session/CSRF issues and cross-user session leakage #119
Description
Describe the bug
When the PWA cache is enabled via the UI toggle, several issues occur. Logging out returns a 403 Forbidden: CSRF token from POST incorrect error. Additionally, after logging in with multiple user accounts, clicking "Refresh" on the PWA toast can restore a previous user's session without going through the login form again.
Affected version
1.25.x
To Reproduce
Steps to reproduce the behavior:
- Enable PWA cache from the bottom-left toggle in the UI
- Log in with a first user account
- Log in with a second user account in the same browser
- Click "Refresh" on the "Viewing cached content" toast → session switches back to the first user without authentication
- Try to log out → 403 CSRF error
Expected behavior
Each user session should be isolated. Logout should work without CSRF errors regardless of whether the PWA cache is enabled or not.
Screenshots
N/A
Additional context
Running behind a reverse proxy (Traefik) with HTTPS. Redis 7-alpine is used as cache/session backend. Disabling the PWA cache resolves all issues. CSRF_TRUSTED_ORIGINS is properly set.