diff --git a/app/assets/javascripts/editor/ajax.js b/app/assets/javascripts/editor/ajax.js
index 731b3b12..5588b911 100644
--- a/app/assets/javascripts/editor/ajax.js
+++ b/app/assets/javascripts/editor/ajax.js
@@ -10,7 +10,8 @@ CodeOceanEditorAJAX = {
     var message = ((response || {}).responseJSON || {}).message || '';
 
     $.flash.danger({
-      text: message.length > 0 ? message : $('#flash').data('message-failure')
+      text: message.length > 0 ? message : $('#flash').data('message-failure'),
+      showPermanent: response.status === 422,
     });
     Sentry.captureException(JSON.stringify(response));
   }
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index e62e4ece..a2927ef1 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -45,25 +45,30 @@ class ApplicationController < ActionController::Base
   private :set_sentry_context
 
   def render_csrf_error
-    set_sentry_context
-    render json: {error: 'CSRF validation failed!!', status: :unprocessable_entity, request_cookies: cookies, session_csrf: session['_csrf_token'], request_csrf: request_authenticity_tokens }, status: :unprocessable_entity
+    render_error t('sessions.expired'), :unprocessable_entity
   end
   private :render_csrf_error
 
   def render_not_authorized
+    render_error t('application.not_authorized'), :unauthorized
+  end
+  private :render_not_authorized
+
+  def render_error(message, status)
+    set_sentry_context
     respond_to do |format|
       format.html do
         # Prevent redirect loop
         if request.url == request.referrer
-          redirect_to :root, alert: t('application.not_authorized')
+          redirect_to :root, alert: message
         else
-          redirect_back fallback_location: :root, allow_other_host: false, alert: t('application.not_authorized')
+          redirect_back fallback_location: :root, allow_other_host: false, alert: message
         end
       end
-      format.json { render json: {error: t('application.not_authorized')}, status: :unauthorized }
+      format.json { render json: {error: message}, status: status }
     end
   end
-  private :render_not_authorized
+  private :render_error
 
   def set_locale
     session[:locale] = params[:custom_locale] || params[:locale] || session[:locale]
diff --git a/app/views/application/_flash.html.slim b/app/views/application/_flash.html.slim
index a2de01a1..02bc5868 100644
--- a/app/views/application/_flash.html.slim
+++ b/app/views/application/_flash.html.slim
@@ -2,6 +2,6 @@
   #flash.container.fixed_error_messages data-message-failure=t('shared.message_failure') data-websocket-failure=t('shared.websocket_failure')
     - %w[alert danger info notice success warning].each do |severity|
       div.alert.flash class="alert-#{{'alert' => 'warning', 'notice' => 'success'}.fetch(severity, severity)} alert-dismissible fade show"
-        p.mb-0 id="flash-#{severity}" = flash[severity]
+        p.mb-0 id="flash-#{severity}" = flash[severity]&.html_safe
         button type="button" class="close" data-dismiss="alert" aria-label="Close"
           span.text-white aria-hidden="true" &times;
diff --git a/config/locales/de.yml b/config/locales/de.yml
index 12621df7..c5b6a4f7 100644
--- a/config/locales/de.yml
+++ b/config/locales/de.yml
@@ -750,6 +750,7 @@ de:
     runtime_output: "Programmausgabe"
     test_results: "Testergebnisse"
   sessions:
+    expired: Ihre Session ist abgelaufen. Bitte <a href="javascript:window.location.reload(true)">laden Sie diese Seite neu</a> bevor Sie fortfahren.
     create:
       failure: Fehlerhafte E-Mail oder Passwort.
       success: Sie haben sich erfolgreich angemeldet.
diff --git a/config/locales/en.yml b/config/locales/en.yml
index e39e30c2..528fd6a2 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -750,6 +750,7 @@ en:
     runtime_output: "Runtime Output"
     test_results: "Test Results"
   sessions:
+    expired: Your session has expired. Please <a href="javascript:window.location.reload(true)">reload this page</a> before continuing.
     create:
       failure: Invalid email or password.
       success: Successfully signed in.