This is not an actual challenge. A web application is vulnerable to CSRF, if it is storing the token generated by authentication scheme in a cookie.
For successful execution of CSRF attack, attacker needs a cookie which is used to identify the user. :)