We have users who sometimes, inconsistently and thus far, without a pattern get 2 “csrftoken” cookies set. Below is an example. As far as I can tell, it is not possible to set 2 cookies with the same domain, path, and name in HTTP. Obviously, we can’t see that information from the below example. We are attempting to debug further to try and pinpoint the issue. When this happens, the users get a 403 error. This is happening in an AJAX request. We believe that clearing the browser cache or using an incognito window usually fixes the issue, which makes sense since it would clear the cookies. Does anyone have any ideas of why this might happen or how to fix it? Also, potential troubleshooting ideas are welcome.
X-CSRFToken: RcUp0qEoGECo3pmjduTxGMhezvaa1p48YmCe1n33pvKK41BdROSCfDXAZ7NbGdmx
…
Cookie: _fbp=fb.1.1589391743274.1555946806; __utmc=41573937; SESSION_LANGUAGE=eng; III_EXPT_FILE=aa23195; III_SESSION_ID=5e65c3dace10fc752d3fd7d327e5d8ce; __utma=41573937.900931078.1589390988.1599340829.1599614310.5; fpestid=v03uuHv1t99Vakrc2zVBRY65X4da5MOhlylk5U7RsuQSedjK-CN_PTJ3upHuvWfczNxiiQ; _hjTLDTest=1; _hjid=68acf9ae-bdb3-4d85-a02c-d4111af92ef6; WFC_ANALYTICS=sGuwKRRDUIsZOI+RthiTQNm9i7s7wDfLQRTQLWwm/28-; nmstat=f9f1f270-e483-0a26-f898-4c6b08c2ee67; WFC_INSTANCE=Ap7tbq8cBEr303qZTAV7jqtJB38oG9t+qdeBRnewkH0-; WFC_USER=cO8Nzv4/Nuiky0pD/09gFWqYwg6ZGrgVh6w6KbsafGH3bJdP+1Qa6bZB6SLXzsZO; _ga_RNYWDR7C56=GS1.1.1615355826.2.0.1615355831.0; _ga=GA1.2.900931078.1589390988; _ga_L2GG07CYB9=GS1.1.1615355836.1.0.1615355887.0; _gid=GA1.2.1271463431.1615498021; __cfduid=d5d09d3fc1a3d7456a2f288ea69a579361615499773; csrftoken=RcUp0qEoGECo3pmjduTxGMhezvaa1p48YmCe1n33pvKK41BdROSCfDXAZ7NbGdmx; messages=“e1beca1c80b75ae33cb2031f60d57b778438a84c$[[”__json_message"\0540\05425\054"Login succeeded. Welcome\054 1644929."]]"; csrftoken=IiDFWWafUoKEmB7ssmNH1Q0cw3OmbDfnm2MlhpKSreLWVoIomZH21p4S8MrZS84a;
Thanks,
Michael