The common causes for a session mismatch error are usually one of the following:

1. Mis-configured URL parameter in your config.json file

If you have a misconfigured url value in your config.json file, the cookie may be saved incorrectly (or not at all), causing a session mismatch error. Please ensure that the link you are accessing your site with and the url defined match.

2. Improper/malformed cookieDomain set in ACP

Sometimes admins set this value without realising that they probably don't need to set it at all. The default is perfectly fine. This is what the config looks like:

Cookie Domain setting

If this is set, you'll want to revert the setting by editing your database directly:

Redis: hdel config cookieDomain
MongoDB: db.objects.update({ _key: "config" }, { $set: "cookieDomain": "" });

3. Missing X-Forwarded-Proto header from nginx/apache

If you are using a reverse proxy, you will need to have nginx pass a header through to NodeBB so it correctly determines the correct cookie secure property.

In nginx, you will need to add the directive like so:

location / { ... proxy_set_header X-Forwarded-Proto $scheme; ... }