'Authentication Required' loop on scp/login.php with 'Invalid CSRF Token' errors. Session works for a few minutes after truncating ost_session then fails again. Site is behind Cloudflare.

The root cause was a 'Header set Set-Cookie' directive in .htaccess that was overwriting all cookie headers and losing the PHP session variable. Changing 'Header set Set-Cookie' to 'Header add Set-Cookie' fixed the issue. Additionally: ensure TRUSTED_PROXIES is set correctly in ost-config.php for proxy/Cloudflare environments, disable 'Bind Agent Session to IP' in Admin Panel > Settings > Agents, and ensure HTTP->HTTPS redirects are handled at the VirtualHost level rather than via .htaccess rewrites.