I have implemented CSRF attack prevention on my nodejs server in the following way -
User on login receives a CSRF token and a cookie (JWT based token stored in a cookie). The CSRF token is made a part of all future request headers sent from the client using $.ajaxSetup
.
Whenever a request is made (GET or POST) by the user, I compare the cookie and csrf token (in the header) sent by the client with the stored ones on my server and the application works fine.
However, when a logged-in user opens a new tab or a new browser window, client has the cookie but does not have the CSRF token in its request headers. So the server considers this as a CSRF attack and blocks the request!
My question is - Without compromising on CSRF security, how can I have the same session running on multiple browser tabs and windows without having the user to login multiple times?