I have some problems with this and running on AWS.
My diagnosis is that this problem usually occurs to users who start to fill a form and let it unfinished opened for a long period of time (15min+) or some users with very slow internet.
I don’t think it is a Yii2-specific issue though, but don’t now how to tackle it and would be great to hear from others.
In order to prevent CSRF attacks all POST request must include a valid CSRF Token. if this token is not present or can not be verified, Yii will abort the request with the that error.
I don’t know exactly how long the tokens are valid but if users are waiting 15+ minutes before submitting a form, the most likely cause is expired tokens.
There are many possible causes of this issue, such as:
session expired - normally after 20 minutes each PHP session expires, so any submitted CSRF token will be invalid
you have many tabs open in a browser for the same site/page - if you do one request in first tab, POST form submitted in a seconds tab will submit already invalid CSRF token
missing CSRF parameters in ajax request - these must be injected by you, it is not done automatically by framework unless you render ActiveForm - e.g. see solution here.
Your description is too vague to guess reason more precisely, just stack trace is not enough. Would be helpful to see some HTML/javascript which sends the request.