OK, so what I'm trying to do may seem like a cross-site attack - defeating the very purpose of CSRF tokens, but here is the need: I have a Symfony app site (app.timo.in) and the plain-PHP homepage web-app (www.timo.in). I wish to allow registered visitors to login from the homepage.
INFO: The app & homepage are on the same domain (timo.in)
A possible option is to generate some other token based on a sharedSecret that both sides can understand. I do not want that the token to expire too soon. One advantage I have is that the login form opens in a modal, so a fresh token can be generated each time, with a short validity. What other parameters do I need to make it secure? If I include session ID, will both sites understand it?
ALERT: I need some sort of CSRF protection, so do not suggest disabling it on the Symfony App's Login page :)