Strange behavior of CSRF tokens with a low csrf_expire (3.1.2)

If you enable CSRF and a user sits on your login page for greater than the value of csrf_expire they will see a 403 forbidden page when they submit the form. Ideally CSRF should be transparent to a user so my goal is the following:

1. User idles on our login page for greater than csrf_expire
2. User submits the form over AJAX, error handler sees the 403 and makes another request white listed from CSRF checks to retrieve the latest token
3. Users initial request is resubmitted with the new token

config.php:

Code:

$config['cookie_prefix']    = '';
$config['cookie_path']        = '/';
$config['cookie_secure']    = TRUE;
$config['cookie_httponly']     = TRUE;

$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'csrf_token';
$config['csrf_cookie_name'] = 'csrf_cookie';
$config['csrf_expire'] = 10;
$config['csrf_regenerate'] = FALSE;
$config['csrf_exclude_uris'] = array('token');

I'm using 10 to make simulating the issue easier. Now things get weird. Look at the timestamps and CSRF values in this screenshot:



Under the first ~==~ the first login was submitted and the conduit captured the 403, made an AJAX call to /token to get the latest CSRF value, then sent the request again. That request also 403'd so once again it requested the CSRF token and received a different value. The original request was resubmitted and again 403'd. With csrf_expire set to 10, how can two different values exist <1s apart and neither be valid?

I know this is not a bug with how I'm handling CSRF tokens as I can set csrf_expire back to 7200 and enable csrf_regenerate and requests will correctly fail and request new tokens as you'd expect them when multiple requests are involved.

Has anyone else encountered this?

CI log set to 4:

Code:

INFO - 2017-01-26 16:31:32 --> Config Class Initialized
INFO - 2017-01-26 16:31:32 --> Hooks Class Initialized
DEBUG - 2017-01-26 16:31:32 --> UTF-8 Support Enabled
INFO - 2017-01-26 16:31:32 --> Utf8 Class Initialized
INFO - 2017-01-26 16:31:32 --> URI Class Initialized
INFO - 2017-01-26 16:31:32 --> Router Class Initialized
INFO - 2017-01-26 16:31:32 --> Output Class Initialized
INFO - 2017-01-26 16:31:32 --> Security Class Initialized
DEBUG - 2017-01-26 16:31:32 --> Global POST, GET and COOKIE data sanitized
INFO - 2017-01-26 16:31:32 --> Config Class Initialized
INFO - 2017-01-26 16:31:32 --> Hooks Class Initialized
DEBUG - 2017-01-26 16:31:32 --> UTF-8 Support Enabled
INFO - 2017-01-26 16:31:32 --> Utf8 Class Initialized
INFO - 2017-01-26 16:31:32 --> URI Class Initialized
INFO - 2017-01-26 16:31:32 --> Router Class Initialized
INFO - 2017-01-26 16:31:32 --> Output Class Initialized
INFO - 2017-01-26 16:31:32 --> Security Class Initialized
DEBUG - 2017-01-26 16:31:32 --> Global POST, GET and COOKIE data sanitized
INFO - 2017-01-26 16:31:32 --> Input Class Initialized
INFO - 2017-01-26 16:31:32 --> Language Class Initialized
INFO - 2017-01-26 16:31:32 --> Loader Class Initialized
DEBUG - 2017-01-26 16:31:32 --> Config file loaded: /Users/.../private/application/config/app.php
DEBUG - 2017-01-26 16:31:32 --> Config file loaded: /Users/.../private/application/config/development/app.php
DEBUG - 2017-01-26 16:31:32 --> Config file loaded: /Users/.../private/application/config/storage.php
DEBUG - 2017-01-26 16:31:32 --> Config file loaded: /Users/.../private/application/config/development/assets.php
DEBUG - 2017-01-26 16:31:32 --> Config file loaded: /Users/.../private/application/config/development/metrics.php
DEBUG - 2017-01-26 16:31:32 --> Config file loaded: /Users/.../private/application/config/development/defaults.php
INFO - 2017-01-26 16:31:32 --> Helper loaded: array_helper
INFO - 2017-01-26 16:31:32 --> Helper loaded: url_helper
INFO - 2017-01-26 16:31:32 --> Helper loaded: date_helper
INFO - 2017-01-26 16:31:32 --> Helper loaded: requirejs_helper
INFO - 2017-01-26 16:31:32 --> Helper loaded: dustjs_helper
INFO - 2017-01-26 16:31:32 --> Helper loaded: bootstrap_helper
INFO - 2017-01-26 16:31:32 --> Database Driver Class Initialized
INFO - 2017-01-26 16:31:32 --> Session: Class initialized using 'redis' driver.
INFO - 2017-01-26 16:31:32 --> Model Class Initialized
INFO - 2017-01-26 16:31:32 --> Controller Class Initialized
DEBUG - 2017-01-26 16:31:32 --> Minifier shaved 0KB (0%) off final HTML output.
INFO - 2017-01-26 16:31:32 --> Final output sent to browser
DEBUG - 2017-01-26 16:31:32 --> Total execution time: 0.0456
INFO - 2017-01-26 16:31:32 --> Config Class Initialized
INFO - 2017-01-26 16:31:32 --> Hooks Class Initialized
DEBUG - 2017-01-26 16:31:32 --> UTF-8 Support Enabled
INFO - 2017-01-26 16:31:32 --> Utf8 Class Initialized
INFO - 2017-01-26 16:31:32 --> URI Class Initialized
INFO - 2017-01-26 16:31:32 --> Router Class Initialized
INFO - 2017-01-26 16:31:32 --> Output Class Initialized
INFO - 2017-01-26 16:31:32 --> Security Class Initialized
DEBUG - 2017-01-26 16:31:32 --> Global POST, GET and COOKIE data sanitized
INFO - 2017-01-26 16:31:32 --> Config Class Initialized
INFO - 2017-01-26 16:31:32 --> Hooks Class Initialized
DEBUG - 2017-01-26 16:31:32 --> UTF-8 Support Enabled
INFO - 2017-01-26 16:31:32 --> Utf8 Class Initialized
INFO - 2017-01-26 16:31:32 --> URI Class Initialized
INFO - 2017-01-26 16:31:32 --> Router Class Initialized
INFO - 2017-01-26 16:31:32 --> Output Class Initialized
INFO - 2017-01-26 16:31:32 --> Security Class Initialized
DEBUG - 2017-01-26 16:31:32 --> Global POST, GET and COOKIE data sanitized
INFO - 2017-01-26 16:31:32 --> Input Class Initialized
INFO - 2017-01-26 16:31:32 --> Language Class Initialized
INFO - 2017-01-26 16:31:32 --> Loader Class Initialized
DEBUG - 2017-01-26 16:31:32 --> Config file loaded: /Users/.../private/application/config/app.php
DEBUG - 2017-01-26 16:31:32 --> Config file loaded: /Users/.../private/application/config/development/app.php
DEBUG - 2017-01-26 16:31:32 --> Config file loaded: /Users/.../private/application/config/storage.php
DEBUG - 2017-01-26 16:31:32 --> Config file loaded: /Users/.../private/application/config/development/assets.php
DEBUG - 2017-01-26 16:31:32 --> Config file loaded: /Users/.../private/application/config/development/metrics.php
DEBUG - 2017-01-26 16:31:32 --> Config file loaded: /Users/.../private/application/config/development/defaults.php
INFO - 2017-01-26 16:31:32 --> Helper loaded: array_helper
INFO - 2017-01-26 16:31:32 --> Helper loaded: url_helper
INFO - 2017-01-26 16:31:32 --> Helper loaded: date_helper
INFO - 2017-01-26 16:31:32 --> Helper loaded: requirejs_helper
INFO - 2017-01-26 16:31:32 --> Helper loaded: dustjs_helper
INFO - 2017-01-26 16:31:32 --> Helper loaded: bootstrap_helper
INFO - 2017-01-26 16:31:32 --> Database Driver Class Initialized
INFO - 2017-01-26 16:31:32 --> Session: Class initialized using 'redis' driver.
INFO - 2017-01-26 16:31:32 --> Model Class Initialized
INFO - 2017-01-26 16:31:32 --> Controller Class Initialized
DEBUG - 2017-01-26 16:31:32 --> Minifier shaved 0KB (0%) off final HTML output.
INFO - 2017-01-26 16:31:32 --> Final output sent to browser
DEBUG - 2017-01-26 16:31:32 --> Total execution time: 0.0375
INFO - 2017-01-26 16:31:32 --> Config Class Initialized
INFO - 2017-01-26 16:31:32 --> Hooks Class Initialized
DEBUG - 2017-01-26 16:31:32 --> UTF-8 Support Enabled
INFO - 2017-01-26 16:31:32 --> Utf8 Class Initialized
INFO - 2017-01-26 16:31:32 --> URI Class Initialized
INFO - 2017-01-26 16:31:32 --> Router Class Initialized
INFO - 2017-01-26 16:31:32 --> Output Class Initialized
INFO - 2017-01-26 16:31:32 --> Security Class Initialized
DEBUG - 2017-01-26 16:31:32 --> Global POST, GET and COOKIE data sanitized