Page tokens generated on first use are not sent back to the client #145
Description
When using the Token-per-page option with AJAX and without token pre-creation (no protected pages are being configured), the solution validates the request with the master token, then generates a new page token on first access of new pages/endpoints, but does not send back the the value to the UI. This behavior leads to false positive CSRF attack attempts and makes the application unusable.
Proposed solution:
Send back the newly generated page token in the response of the request. The JavaScript logic should intercept all XHR requests, look for the specific header and should update the token value associated to the specific page/endpoint if present.