Is it a security concern to allow a client to generate a CSRF token at login time, usable by the client upon the next request?

For background, this question is the result of my brainstorming for a solution to this other question: Securely renewing a session without javascript and without breaking CSRF protection

I’ve had a thought, but I’m not sure if it’s secure or not. Does the following seem exploitable in any way?

At the time of login the client sends a pseudo-random string (which is actually the “old” csrf token from the user’s previous session, to refer to the previous question) alongside the username and password. The server then associates that csrf token with that particular client for the next request. The user would then get a new CSRF token to use from the server. Essentially, if a CSRF token is initially set by a client during authentication, is it safe to use that same token to validate that same client on a subsequent request, with the token taking not one but two full round trips?

I had initially assumed that would be insecure, but the more I think about it, I really can’t think of an exploit. The token would be sent alongside the credentials, so an attacker couldn’t set the CSRF token unless they also had the username and password, in which case security is already compromised. Or am I wrong about that?


OnePlus 9RT vs OnePlus 9R – Specifications and Pricing Compared

A simple baseline for the 2022 IEEE GRSS Data Fusion Contest (DFC2022)