Using the Pyramid web framework, when the new_csrf_token() method is called on a session object, does it invalidate previously issued CSRF tokens?
For example:
old_token = session.get_csrf_token()
new_token = session.new_csrf_token()
# Is old_token still valid for requests?
Calling the new_csrf_token() method on one of Pyramid's session objects will invalidate all previously issued CSRF tokens for that session.
Pyramid's ISession interface only defines two methods that deal with CSRF tokens, get_csrf_token() and new_csrf_token(). At this time, the framework's session interface does not allow multiple CSRF tokens to exist at the same time. (This ignores an odd edge case with signed cookies, which shouldn't affect the security of CSRF protection.)
Internally, Pyramid calls the get_csrf_token() method on the request's session object, then compares the returned value to the token received in the request.
It should be assumed that any requests using an old CSRF protection token will fail.