Csrf token does not meet security design

Almost all APIs in liberapay.com have csrf tokens.However, this token is not useful for the specified user. In the case that the user is not logged in, the csrf token is also generated, and after the login is successful, the token does not change.And the csrf tokens generated by other web browsers are replaced by the user and still work. Start request: ``` POST /~153780/identity HTTP/1.1 Host: liberapay.com User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: https://liberapay.com/~153780/identity Content-Type: application/x-www-form-urlencoded Content-Length: 128 Cookie: __cfduid=dbae28a1d218515c7d4551d1f70b64c8d1528123170; csrf_token=Jsf9LQiIMR362WsEP0elX54Ml4HTSCmv; session="153780:1:lnigjeEgIGmab5Bn60IJXBDEno5cFhv_" DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 csrf_token=Jsf9LQiIMR362WsEP0elX54Ml4HTSCmv&FirstName=feng&LastName=fan&CountryOfResidence=CN&Nationality=CN&Birthday=1997-12-19 ``` ``` HTTP/1.1 200 OK Date: Tue, 05 Jun 2018 09:17:20 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Xss-Protection: 1; mode=block Content-Security-Policy: default-src 'self' liberapay.com;connect-src 'self' *.liberapay.org *.mangopay.com *.payline.com;form-action 'self';img-src * blob: data:;object-src 'none';report-uri https://liberapay.report-uri.com/r/d/csp/enforce;upgrade-insecure-requests; Cache-Control: no-cache X-Frame-Options: SAMEORIGIN Referrer-Policy: strict-origin-when-cross-origin Set-Cookie: csrf_token=Jsf9LQiIMR362WsEP0elX54Ml4HTSCmv; Domain=.liberapay.com; expires=Tue, 12 Jun 2018 09:17:20 GMT; Path=/; secure Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Content-Type-Options: nosniff Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Server: cloudflare CF-RAY: 42618ba8ed0013b3-LAX Content-Length: 59590 ``` After modification, use other csrf tokens: ``` POST /~153780/identity HTTP/1.1 Host: liberapay.com User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: https://liberapay.com/~153780/identity Content-Type: application/x-www-form-urlencoded Content-Length: 128 Cookie: __cfduid=dbae28a1d218515c7d4551d1f70b64c8d1528123170; csrf_token=F798zSeZ80HjZipmUAh9ga4DFTgJgZ1H; session="153780:1:lnigjeEgIGmab5Bn60IJXBDEno5cFhv_" DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 csrf_token=F798zSeZ80HjZipmUAh9ga4DFTgJgZ1H&FirstName=feng&LastName=fan&CountryOfResidence=CN&Nationality=CN&Birthday=1997-12-19 ``` ``` HTTP/1.1 200 OK Date: Tue, 05 Jun 2018 09:20:56 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Xss-Protection: 1; mode=block Content-Security-Policy: default-src 'self' liberapay.com;connect-src 'self' *.liberapay.org *.mangopay.com *.payline.com;form-action 'self';img-src * blob: data:;object-src 'none';report-uri https://liberapay.report-uri.com/r/d/csp/enforce;upgrade-insecure-requests; Cache-Control: no-cache X-Frame-Options: SAMEORIGIN Referrer-Policy: strict-origin-when-cross-origin Set-Cookie: csrf_token=F798zSeZ80HjZipmUAh9ga4DFTgJgZ1H; Domain=.liberapay.com; expires=Tue, 12 Jun 2018 09:20:56 GMT; Path=/; secure Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Content-Type-Options: nosniff Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Server: cloudflare CF-RAY: 426190ed780313b9-LAX Content-Length: 59590 ``` ## Impact The uniqueness of csrf can reduce the risk of web applications