Here is the scenario in my MVC 5 application:
I have a login form that includes @Html.AntiForgeryToken() I have a controller that has the login post action decorated with ValidateAntiForgeryToken
Everything works as expected, except when I run the site in IE (v.11 in my case)
I ran the request through Fiddler and I noticed that the anti forgery cookie is not being sent when I used IE to log in.
This was very strange indeed. It took a lot of research, but I finally figured out the problem. Apparently, IE does not accept cookies from URLs containing underscore. In my case, this was a temp URL just for development and testing.
I am not sure what the reason for this behavior is, but after changing the URL, everything works as expected.
I thought I share my findings here. Hopefully, this will save someone a few hours of their life :)