I have the same problem.
On IGOR, I logged in (worked fine) and then tried to log out, the "Security Token did not match. Possible CSRF attack." message appeared and I could not log out. On Hogfather, everything worked fine. Both contexts, environments are the same. I did not use proxy, but use vector template.
inc/common.php : checkSecurituyToken() has produced the message.
if(is_null($token)) $token = $INPUT->str('sectok');
if(getSecurityToken() != $token) {
var_dump(something); <-- ** I inserted **
msg('Security Token did not match. Possible CSRF attack. ', -1);
return false;
}
var_dump($token); -->string(0) ""
var_dump(getSecurityToken()); -->string(32) "2df4d10dd21b997578b51152d9871dd6"
var_dump($INPUT); --> A long string appeared but "sectok" was not included.