ajax post csrf problem 403 error

Not sure in truth. I might have done something dodgy in writing a quick example for you. It does look risky doing it this way, but I only did this as an example. I would return the new hash value with the original ajax call, and not do a seperate ajax get for it. (As MWhitney did in his explanation), but as I said, this is just an example of how to do it.

Actually doing it as a public get does feel a bit wrong. Perhaps we need someone with more security knowledge and CSRF and XSS understanding and expertise than I have, to let us know.

Good point though. This get example is probably not the best way.

If site B (the bad site) tries to access site A (the good site you are logged into) it will get a different hash value than the one you get on site A, if it tries to access the get value (as it is a different session). So I think it would be fine. Just make sure any state changing processes are done via a post, not a get. But TBH this is most certainly not an area I am knowledgeable in would appreciate any advice from any readers with more insight to advise about this.
EDIT: Actually the bad site now has a valid hash value and your cookie will say it is logged in. So it is not fine :-(

So IMHO return the new hash with the original ajax call, not as a separate function. At least then the new hash is only returned when the current hash is checked and regenerated.

Best wishes,

Paul

PS added an edit to the top of original sample post above.