CSRF Issue in iOS / Mobile Safari — unable to verify your data submission

[codyjames]

Description

We get quite a few "unable to verify your data submission" CSRF errors on our site (50-100 a day). We've got around ~7k users logging in and doing things. Almost all of these happen on Mobile Safari. We even switched from CSRF cookies to session with no luck.

Note that it doesn't happen for every mobile safari user — but it happens enough that it's an issue.

Here is a screenshot of the error in our Sentry account:

Steps to reproduce

1. Have a site with a lot of users/forms.
2. 50-100 times a day you'll get "unable to verify your data submission" errors from users using Mobile Safari.

Additional info

• Craft version: Happens on 3.6 through 3.7.4 — probably before 3.6 as well.
• PHP version: 7.4.15
• Database driver & version: MySQL 5.5.5
• Plugins & versions: Most relevant would be Snaptcha — I assume it's an issue with CSRF + Mobile Safari though.

[codyjames]

Some similar issues on other platforms:

• https://twitter.com/barryvdh/status/1133666349828456448
• https://blog.alex-miller.co/rails/2017/01/07/rails-authenticity-token-and-mobile-safari.html

[brandonkelly]

Guessing this is environmental. Can you please email support@craftcms.com about this? We can help you look into it from there.

[remcoov]

Any updates on this? We have the same problem.. lot's of 'unable to verify your data submission'.

[codyjames]

@remcoov I was unable to resolve it. Still get quite a few of these errors for folks on Mobile Safari. Let me know if you end up finding a solution though!

[remcoov]

Yeah, we're not only getting this on Mobile Safari. Just curious, how do you handle this for the user?

[angrybrad]

Just a theory, but try setting https://craftcms.com/docs/4.x/config/general.html#requirematchinguseragentforsession to false - session is taken into account for CSRF tokens, and maybe mobile Safari is changing their user agency string frequently.