Mobile Safari users affected by CSRF failure on log in - how to debug?

[Bartosz Nowotny]

Hello,

I'm a maintainer of a Django portal for customers of the company I work for. Recently, I have added some instrumentation and I noticed that iOS (or more generally, mobile Safari) users are often getting CSRF failure when attempting to log in. The specific error is: CSRF token missing or incorrect. On average, about a dozen users are affected daily, which is about 10% of our daily unique users.

Any idea what might be causing this or how I should go about debugging this? I am unable to reproduce the issue (I know this can be reproduced by opening 2 log in pages, logging in in the first tab then logging in in the second tab but that is not platform specific and I highly doubt it that's the reason why we are seeing so many CSRF failures).

Using Django 2.2.12. Using 'signed_cookies' as the session engine, also set the cookie name and domain (it is used across multiple sub-domains). Everything else (that I think might be relevant) has default values, but feel free to ask about specifics of our set up and config.

Regards,

Bartosz