Reproduce:

• Login to Cockpit
• Invalidate the CSRF token (by going to the dev tools, and change the value of the XSRF-TOKEN cookie)
• Perform any operation that uses a POST request, e.g. goto any process definition page
• Observe the denied by server error message and refresh the page

Expected:

• After page refresh, the csrf token is refreshed

Observed:

• Since the token is stored as cookie, the issue persists even after the page refresh

Workaround:

• Let the session expire and login again. On login, a new CSRF token is granted (it is not possible to logout without the correct CSRF token, so actually waiting for a session timeout or clearing the session cookie manually is the only way)