Page Caching, CSRF, and Loading a form via Ajax

Hi all,

I would like to use page caching on my homepage, but also want to
enable people to sign in via a modal dialog sign in form. I could
have a setup in which when a user lands on the cached homepage, an
Ajax GET request pulls in the whole login form so that there is a
fresh authenticity token.

That said, besides the additional hit to the server, the CSRF token in
the head area of the page could be different (left over in the page
cache from another user).

I'm guessing that loading a form like this through ajax is not
advisable, but since it works and most people hit the site without
signing in, I'm wondring why not just load the form via an ajax get
call?

Thanks,
Raviv

Hi all,

I would like to use page caching on my homepage, but also want to
enable people to sign in via a modal dialog sign in form. I could
have a setup in which when a user lands on the cached homepage, an
Ajax GET request pulls in the whole login form so that there is a
fresh authenticity token.

That said, besides the additional hit to the server, the CSRF token in
the head area of the page could be different (left over in the page
cache from another user).

I'm guessing that loading a form like this through ajax is not
advisable, but since it works and most people hit the site without
signing in, I'm wondring why not just load the form via an ajax get
call?

Well I'm sure that would work, but is there any point to CSRF
protection for a login form?

The aim of the token is to stop an attacker getting an already logged
in use to submit form data unwittingly, but with a login action it
doesn't seem like they can do any harm, since unless the attacker
knows the user's credentials all they are ever going to trigger is a
"bad login please try again" page. On top of that, when the CSRF token
doesn't match up, these days what happens is that your session gets
reset, so that the request gets handled like a non-logged user's
would.

Fred