Stop regenerating/invalidating CSRF on authentication

Question

I currently have forms on my page, which are there regardless of if a user is logged in or not. Once a user logs in, they are presented with one of these forms (which use CSRF).

The issue is that if this box is presented after the authentication, the CSRF tokens are invalidated. I have confirmed this by allowing myself to submit the form without authentication checks and $form->isValid() returns true whereas after login, it gives me false with the error of:

The CSRF token is invalid. Please try to resubmit the form.

I guess there are three solutions - stop Symfony from regenerating/invalidating the CSRF tokens on authentication, remove the CSRF tokens from these forms or generate my form after authentication (I'd rather avoid this, however). My current solution is to pass a new CSRF token back with the authentication and set forms token input value.

Additional: Does anyone know how to view all CSRF tokens that are currently assigned? The session doesn't seem to hold them.

Answer 1

Thanks to @MarkFox for pointing me to this CWE - although I knew it was through design, I'd hoped there would be a way for me to avoid going down the route I ended up.

For anyone interested, the CWE states:

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

For this reason, I recommend that you go down the path I ended up, sending the new request tokens via AJAX and place them into the relevant forms.

Answer 2

The usual approach is that when someone logs in successfully, the whole page is refreshed, as potentially different data is going to be displayed, customised to the user.

However if you really don't want to do that, You said:

My current solution is to pass a new CSRF token back with the authentication and set forms token input value.

Just do that. There is nothing wrong with that.