Our application is a payment facilitator, where our checkout process supports both redirect and iframe checkout. To prevent CSRF attacks we use standard MVC AntiForgeryToken implementation. However, small percentage of our checkouts fail with an error saying the AntiForgeryToken cookie is missing.
From logs we summarized that those error occur only when user agent is either Mobile Safari or rarely Samsung browser, of varying versions and platform versions.
We cannot be certain that these errors occur only when embedded inside of an iframe, however we hadn't been able to reproduce these errors reliably from either redirected or embedded version. Whats more puzzling is that standard Safari and 3rd party cookies issues don't explain this either, because in all instances we can tell from logs that the ASP.NET_SessionId cookie is present.
We have tried setting the P3P header on the response:
HttpContext.Response.AddHeader("p3p", "CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\""); but that didnt solve it.
Also, we are certain that this happens for legit users too, not exclusively for malicious attackers (assuming any of them are malicious). And to make sure to state the obvious, all of these requests contain a HTTP form entry containing the __RequestVerificationToken, but no cookie.
Additionally, all of the logged errors state this: The required anti-forgery cookie "__RequestVerificationToken_L3Yx0" is not present. We were not able to explain the _L3Yx0 appendix. To be clear though, the appendix is not the problem, or at least not the only one because we do not receive the cookie in the first place.
What possible explanations are there for this weird behavior, and what can we do to prevent the issue?
