Multiple csrftoken cookies

We have users who sometimes, inconsistently and thus far, without a pattern get 2 “csrftoken” cookies set. Below is an example. As far as I can tell, it is not possible to set 2 cookies with the same domain, path, and name in HTTP. Obviously, we can’t see that information from the below example. We are attempting to debug further to try and pinpoint the issue. When this happens, the users get a 403 error. This is happening in an AJAX request. We believe that clearing the browser cache or using an incognito window usually fixes the issue, which makes sense since it would clear the cookies. Does anyone have any ideas of why this might happen or how to fix it? Also, potential troubleshooting ideas are welcome.

X-CSRFToken: RcUp0qEoGECo3pmjduTxGMhezvaa1p48YmCe1n33pvKK41BdROSCfDXAZ7NbGdmx

Cookie: _fbp=fb.1.1589391743274.1555946806; __utmc=41573937; SESSION_LANGUAGE=eng; III_EXPT_FILE=aa23195; III_SESSION_ID=5e65c3dace10fc752d3fd7d327e5d8ce; __utma=41573937.900931078.1589390988.1599340829.1599614310.5; fpestid=v03uuHv1t99Vakrc2zVBRY65X4da5MOhlylk5U7RsuQSedjK-CN_PTJ3upHuvWfczNxiiQ; _hjTLDTest=1; _hjid=68acf9ae-bdb3-4d85-a02c-d4111af92ef6; WFC_ANALYTICS=sGuwKRRDUIsZOI+RthiTQNm9i7s7wDfLQRTQLWwm/28-; nmstat=f9f1f270-e483-0a26-f898-4c6b08c2ee67; WFC_INSTANCE=Ap7tbq8cBEr303qZTAV7jqtJB38oG9t+qdeBRnewkH0-; WFC_USER=cO8Nzv4/Nuiky0pD/09gFWqYwg6ZGrgVh6w6KbsafGH3bJdP+1Qa6bZB6SLXzsZO; _ga_RNYWDR7C56=GS1.1.1615355826.2.0.1615355831.0; _ga=GA1.2.900931078.1589390988; _ga_L2GG07CYB9=GS1.1.1615355836.1.0.1615355887.0; _gid=GA1.2.1271463431.1615498021; __cfduid=d5d09d3fc1a3d7456a2f288ea69a579361615499773; csrftoken=RcUp0qEoGECo3pmjduTxGMhezvaa1p48YmCe1n33pvKK41BdROSCfDXAZ7NbGdmx; messages=“e1beca1c80b75ae33cb2031f60d57b778438a84c$[[”__json_message"\0540\05425\054"Login succeeded. Welcome\054 1644929."]]"; csrftoken=IiDFWWafUoKEmB7ssmNH1Q0cw3OmbDfnm2MlhpKSreLWVoIomZH21p4S8MrZS84a;


Is it possible that the tokens are for different, but valid domains? One might be at the root domain and another at a subdomain.

We don’t have more than one domain. I think the header should have a “domain=value” or a “path=value” if either of those were present. We still don’t have a clear picture of what is stetting the 2nd cookie and where. Either way, it seems to be causing issues and it seems to be happening in Django rather than the application.

It turns out it was another cookie with a matching domain.