Missing CSRF Token in multiple session

[Olivier Droz]

Hi All, 

I have an issue that is a bit difficult to reproduce. 

One of my users was logged in the application (https, session.secure=true) and tried to create a new account. 

I know this is kind of an edge case, but I'd like to understand what is happening. 

When entering the signup form that has a CSRF token generated, he got the "CSRF token check failed" message. 

Is that possible that the CSRF token gets compromised by the other session being running? (he didn't logged out before creating a new account) 

Creating an account "normally" (i.e. without being logged in another account) works fine.

How can I avoid this? 

I tried setting csrf.sign.tokens=true in application.conf - in this case no one is able to log in.

An option would be to kick out the user from any logged in session when starting over the signup process. How can I do that? 

I'm using Play 2.3.9, with secureSocial

Thanks