How to implement anti CSRF token protection with multi tab support?

Question

I have an application in which I would like to implement protection against CSRF using a security token, but also to make my application available for that same user if he opens a new tab.

When the user authenticates himself with his correct username/password combination, I add him to the session and return a cookie that contains the token. When the cookie arrives, I remove the token from the cookie and store it in a global variable. With each request I make I append the token and compare it with the one on the server.

The problem is when I open a new tab, user gets automatically removed from the session because a request that doesn't contain a correct token is received.

I understand that if I store that token in the cookie or in the localStorage I would be able to read it from another tab and the request will be valid, but I'm not sure how safe is this implementation or even which one is better? With a simple XSS you could read the token from the cookie/localStorage/global variable...

Are there any other ways I can implement a CSRF token protection and still be able to use my application from another browser tab?

Answer 1

With a simple XSS you could read the token from the cookie/localStorage/global variable...

If your site is vulnerable to XSS then this always supersedes any CSRF vulnerability.

As long as CSRF tokens are refreshed for every new session, there is no need to change the CSRF token once it has been used. An attacker cannot read the token so there is no extra risk.

This will enable tokens to work across tabs with no loss in security.