at first the options to diable pihole using the webinterface wern't working using my iPad, but using Chrome on Windows worked fine. Now all those options won't work, even when using Microsoft Edge. A loading icon appears but nothing happens.
From your debug log. Log out of the admin GUI and log in with the correct password:
-rw-r--r-- 1 www-data www-data 484 Mar 24 18:09 /var/log/lighttpd/error.log
2020-03-24 17:26:09: (server.c.1464) server started (lighttpd/1.4.53)
2020-03-24 17:26:15: Wrong token! Please re-login on the Pi-hole dashboard.
2020-03-24 17:29:38: Wrong token! Please re-login on the Pi-hole dashboard.
2020-03-24 18:00:08: Wrong token! Please re-login on the Pi-hole dashboard.
I haven't done any changes to the lighttpd.conf - but I am running dietpi on a rpi4. Pihole is already available within dietpi, so I guess the config was changed by the devs of dietpi..
I can confirm that disabling "url-normalize-required" in lighttpd.conf solves the problem of not being able to disable pihole using the web interface. I also ran into this with pihole Beta 5.0 on DietPi/Rpi3.
It has nothing to do with DietPi, as linked, these are new settings of Lighttpd, enabled by default, as well on all major distros with Lighttpd v1.4.54+. If I understood it correctly, some of them even need to be set disabled (instead of not adding them to lighttpd.conf), hence this might become relevant for the Pi-hole lighttpd.conf as well.
But indeed the one setting that causes this GET request query string issues can be simply removed/commented, and as it is not present in Pi-hole lighttpd.conf, this is currently only on issue when the web server install is skipped via installer, i.e. DietPi in current version. For next release (will become beta the next days) we set all those settings to disabled actively.
I already thought to collect all cases where those cause issues to convince the Lighttpd dev to disable them by default. In every case where users e.g. upgrade Lighttpd and choose to use the maintainer config file version, things will be broken otherwise...
And little note about why it work sometimes, but not in most cases (when the setting is enabled):
Lighttpd with this setting decodes the query string (things like "2%B" that is encoded "+" symbol).
If the token/query string now contains a "+", this is send encoded as "2%B" in the query string.
Lighttpd with this setting now decodes it, so it becomes a "+" again. PHP then decodes it a second time before storing the content in the _GET array. And since the "+" again codes for a white space, the string will have a white space where a "+" was wanted.
This 2%B => "+" => white space is currently the only relevant case where double decoding causes issues, but there might be others.
Hence if the session token by chance does not contain a "+", the doubled decoding does not cause an issue and everything will function. But for statistical reasons in most cases the session token contains a "+", hence things are broken by doubled decoding.