I don't use session, so I removed it together with all HTTP modules I don't need.
I sometimes get this error: System.Web.Mvc.HttpAntiForgeryException: The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the <machineKey> configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster.
Or this one: System.Web.Mvc.HttpAntiForgeryException: The provided anti-forgery token was meant for a different claims-based user than the current user.
When I enable session, it works.
So the question is: does the csrf stuff depend on session state?
ASP.NET session is not required for anti-forgery tokens to work. The token is stored in a hidden form field and in a cookie, separate from a cookie session (you may find details here). Additionally, when anti-forgery token is invalid, an exception is thrown so it does not look like the problem you have is connected with anti-forgery tokens. Maybe record a Fiddler session, attach it to a new SO question and we should be able to better guide you.