Csrf Token And (Client Side) Cacheing

I am running into a problem with the CSRF protection and client side caching.

I use client-side browser caching of some of my pages using the last-modified header (though the CHttpCacheFilter extension). This is causing problems for some users with the comment box on those pages having outdated CRSF tokens.


  1. User visits page which gets cached in their browser.

  2. User returns to page later (after the csrf token cookie has expired). Sees cached version of page.

  3. User attempts to post comment, gets CSRF error because the cached page’s token does not match their cookie.

My first thought on fixing this (without eliminating the caching) is to use ajax to retrieve the new token and update the form. Is this safe to do, or would an ajax query to retrieve the token be a big security hole making the csrf protection moot? The same-origin policy may make it safe, but I’m not sure.

Also, any other better solutions to this problem?


I guess if you want to use csrf protection you cannot use client cache… you could try page caching in Yii.

Using ajax is not better because you still have to call php script.

Anybody finding this page looking for a solution: find a solution here: http://www.yiiframework.com/wiki/506/checking-for-expired-sessions-logins-on-the-client-side/ .