Anytime I try to access a Content Object for the third time (3 clicks in content tree, or Open->edit->publish->open again) I'm getting logged out of the Ibexa Admin.

On Ibexa 3.3.x it happens on requesting

GET /admin/notifications/count HTTP/1.1

On Ibexa 4.4 it happens on requesting the User Avatar:

…user/default_profile_image/initials.svg?initials=MS#profile_image

Subsequently /load-subtree and /graphql fail with a "not authorized" response, as well as a redirect to /login.

Refreshing the page redirects to /login as well.

On 3.3., after loggin in again,  accessing the content-tree is not possible anymore, unless cookies and cache are cleared in the browser.

It only happens on Safari.
It only happens with activated browser cache.

Disabling browser cache in Safari's Dev-Tools prevents the issue from happening completely.
Same goes for using an Incognito window.

On the first two requests the request headers are fine:

GET /admin/notifications/count HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: de-DE,de;q=0.9
Authorization: Basic ZG9lcmtlbjpTUmQ0dzdVUg==
Cache-Control: no-cache
Connection: keep-alive
Cookie: eZSESSID=8vtcuqc7lkmf2kn1tcvvrq6ata
Host: *******
Pragma: no-cache
Referer: *******************
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.4 Safari/605.1.15
X-Requested-With: XMLHttpRequest
*no* further _formatting_ is done here

 
On the failing request the browser only sends:

GET /admin/notifications/count
Accept: */*
Referer: ***********
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.4 Safari/605.1.15
X-Requested-With: XMLHttpRequest

Unfortunately I could not reproduce the error on a clean installation.

Do you have any Ideas what might be the cause to this?

Thanks
David