Ok a bit more info after investigating.

It turns out sometimes when the page loads the __RequestVerificationToken cookie is missing along with .EPiForm_BID  and .EPiForm_VisitorIdentifier. 

The tag <input name="__RequestVerificationToken" type="hidden" value=""/> when the cookie is missing always has the same token value.  So the clue might be there, possible caching maybe?

Is your website hosted in a load balanced environment ?

It's on the DXC cloud environment.  

I have confirmed it's the output cache of the page doing it.

If you load a cached version of the page, the form will not create the cookies required.

I have the same issue. When I have ContentOutputCache attribute present on a page-controller that has a form on the page the value in the form field "__RequestVerificationToken" is never updated.

Steps to reproduce:

1. Set the [ContentOutputCache] on the current page controller.
2. Restart the site (clear all cache)
3. Visit the page with the form in one browser and send the form (this works fine)
4. Visit the age in another browser and try posting the form (this fails)

The value in the hidden input "__RequestVerificationToken" are the same in both browsers. The sesison cookie value differs between the browsers and this is causing the comparison of the two to fail.

Im running Episerver 11.9.3, with Forms version 4.15.1, no custom FormContainerBlock.ascx.

Is there a way to force the input value to update but still have the ContentOutputCache enabled?

The only way I got around it was to force the form to not cache the page.  So I added this to the FormContainerBlock.ascx

<% //Expire page cache fix for form output caching on the page causing cookies to not be generated.
HttpContext.Current.Response.Cache.SetExpires(DateTime.UtcNow.AddDays(-1));
HttpContext.Current.Response.Cache.SetValidUntilExpires(false);
HttpContext.Current.Response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches);
HttpContext.Current.Response.Cache.SetCacheability(HttpCacheability.NoCache);
HttpContext.Current.Response.Cache.SetNoStore();
%>

Ok, that's bad news for me since we have a contact-form on all pages... I guess that means I have to skip the Outputcache.

It's weird though, because I have only noticed this issue after we upgraded to Episerver 11.x, maybe there were some changes to how the tokens are generated?

I just found that the code on teh form page that generates the cookies just never fires as the whole form container is cached.  If there's a way to keep it cached and still clear those cookies then that would be good!  I guess maybe some javascript might be able to delete them as that would always fire regardless of page caching.  The problem is the __RequestVerificationToken  is a http cookie so I couldn't get to it via javascript to manipulate it.

Yes that changed on Episerver 11.  I had to add 

<%= Html.GenerateAntiForgeryToken(Model) %>

to my form container as they'd changed theirs.