I've recently run into an interesting problem with login pages and CSRF tokens. I want to ensure the login form POST is secured with a CSRF token, however, when/if a user remains on the login page for an extended period of time his/her session will expire and the CRSF token will become invalid. Any advice for how to avoid this issue? I am considering not using a CRSF token for login pages, but this seems to be a bad practice.
Technically speaking, the login page is an out-of-session page (the user hasn't logged in yet) and therefore a CSRF mitigation isn't really needed. There's not a whole lot a hacker can do if the user hasn't established a session. I guess he could trick a user into logging on-- if he knows the user name and password-- but if could do that he could log in from his own browser instead.
If you insist on the CSRF token on the login page, I suggest you render the token as per usual and refresh the page with a Javascript timer (setTimeout) a few seconds before the token is due to expire.