diff --git a/module/VuFind/config/module.config.php b/module/VuFind/config/module.config.php
index d5b271c12e6db7eddb0e34474b613eef0361181d..6f7b4c26168c8dcb4b336c2ac7e9ce08445cb8ac 100644
--- a/module/VuFind/config/module.config.php
+++ b/module/VuFind/config/module.config.php
@@ -353,6 +353,7 @@ $config = [
             'Zend\Db\Adapter\Adapter' => 'VuFind\Service\Factory::getDbAdapter',
             'Zend\Mvc\I18n\Translator' => 'VuFind\Service\Factory::getTranslator',
             'Zend\Session\SessionManager' => 'VuFind\Session\ManagerFactory',
+            'Zend\Validator\Csrf' => 'VuFind\Service\CsrfValidatorFactory',
         ],
         'initializers' => [
             'VuFind\ServiceManager\ServiceInitializer',
diff --git a/module/VuFind/src/VuFind/Auth/Manager.php b/module/VuFind/src/VuFind/Auth/Manager.php
index 396d27cc1a5e24b5b9a528357e13cd44b2bee26d..4618d6da29d9ca4ce3e9ffd6fbd3f27cf6ded31b 100644
--- a/module/VuFind/src/VuFind/Auth/Manager.php
+++ b/module/VuFind/src/VuFind/Auth/Manager.php
@@ -124,10 +124,11 @@ class Manager implements \ZfcRbac\Identity\IdentityProviderInterface
      * @param SessionManager $sessionManager Session manager
      * @param PluginManager  $pm             Authentication plugin manager
      * @param CookieManager  $cookieManager  Cookie manager
+     * @param Csrf           $csrf           CSRF validator
      */
     public function __construct(Config $config, UserTable $userTable,
         SessionManager $sessionManager, PluginManager $pm,
-        CookieManager $cookieManager
+        CookieManager $cookieManager, Csrf $csrf
     ) {
         // Store dependencies:
         $this->config = $config;
@@ -135,19 +136,11 @@ class Manager implements \ZfcRbac\Identity\IdentityProviderInterface
         $this->sessionManager = $sessionManager;
         $this->pluginManager = $pm;
         $this->cookieManager = $cookieManager;
+        $this->csrf = $csrf;
 
         // Set up session:
         $this->session = new \Zend\Session\Container('Account', $sessionManager);
 
-        // Set up CSRF:
-        $this->csrf = new Csrf(
-            [
-                'session' => new \Zend\Session\Container('csrf', $sessionManager),
-                'salt' => isset($this->config->Security->HMACkey)
-                    ? $this->config->Security->HMACkey : 'VuFindCsrfSalt',
-            ]
-        );
-
         // Initialize active authentication setting (defaulting to Database
         // if no setting passed in):
         $method = isset($config->Authentication->method)
diff --git a/module/VuFind/src/VuFind/Auth/ManagerFactory.php b/module/VuFind/src/VuFind/Auth/ManagerFactory.php
index 771b698bdb08e75c39e0395a1a7432117f9e3454..5d19dc29706d325526b532b3e06dc6097e812cb9 100644
--- a/module/VuFind/src/VuFind/Auth/ManagerFactory.php
+++ b/module/VuFind/src/VuFind/Auth/ManagerFactory.php
@@ -84,10 +84,11 @@ class ManagerFactory implements FactoryInterface
         $sessionManager = $container->get('Zend\Session\SessionManager');
         $pm = $container->get('VuFind\Auth\PluginManager');
         $cookies = $container->get('VuFind\Cookie\CookieManager');
+        $csrf = $container->get('Zend\Validator\Csrf');
 
         // Build the object and make sure account credentials haven't expired:
         $manager = new $requestedName(
-            $config, $userTable, $sessionManager, $pm, $cookies
+            $config, $userTable, $sessionManager, $pm, $cookies, $csrf
         );
         $manager->checkForExpiredCredentials();
         return $manager;
diff --git a/module/VuFind/src/VuFind/Service/CsrfValidatorFactory.php b/module/VuFind/src/VuFind/Service/CsrfValidatorFactory.php
new file mode 100644
index 0000000000000000000000000000000000000000..d998b399b00d0ada978f641484cc52384aacebbd
--- /dev/null
+++ b/module/VuFind/src/VuFind/Service/CsrfValidatorFactory.php
@@ -0,0 +1,78 @@
+<?php
+/**
+ * CSRF Validator factory.
+ *
+ * PHP version 5
+ *
+ * Copyright (C) Villanova University 2014.
+ * Copyright (C) The National Library of Finland 2018.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ * @category VuFind
+ * @package  Service
+ * @author   Demian Katz <demian.katz@villanova.edu>
+ * @author   Ere Maijala <ere.maijala@helsinki.fi>
+ * @license  http://opensource.org/licenses/gpl-2.0.php GNU General Public License
+ * @link     https://vufind.org/wiki/development Wiki
+ */
+namespace VuFind\Service;
+
+use Interop\Container\ContainerInterface;
+use Zend\ServiceManager\Factory\FactoryInterface;
+
+/**
+ * CSRF Validator factory.
+ *
+ * @category VuFind
+ * @package  Service
+ * @author   Demian Katz <demian.katz@villanova.edu>
+ * @author   Ere Maijala <ere.maijala@helsinki.fi>
+ * @license  http://opensource.org/licenses/gpl-2.0.php GNU General Public License
+ * @link     https://vufind.org/wiki/development Wiki
+ *
+ * @codeCoverageIgnore
+ */
+class CsrfValidatorFactory implements FactoryInterface
+{
+    /**
+     * Create an object
+     *
+     * @param ContainerInterface $container     Service manager
+     * @param string             $requestedName Service being created
+     * @param null|array         $options       Extra options (optional)
+     *
+     * @return object
+     *
+     * @throws ServiceNotFoundException if unable to resolve the service.
+     * @throws ServiceNotCreatedException if an exception is raised when
+     * creating a service.
+     * @throws ContainerException if any other error occurs
+     */
+    public function __invoke(ContainerInterface $container, $requestedName,
+        array $options = null
+    ) {
+        if (!empty($options)) {
+            throw new \Exception('Unexpected options passed to factory.');
+        }
+        $config = $container->get('VuFind\Config\PluginManager')->get('config');
+        $sessionManager = $container->get('Zend\Session\SessionManager');
+        return new $requestedName(
+            [
+                'session' => new \Zend\Session\Container('csrf', $sessionManager),
+                'salt' => $config->Security->HMACkey ?? 'VuFindCsrfSalt'
+            ]
+        );
+    }
+}
diff --git a/module/VuFind/tests/unit-tests/src/VuFindTest/Auth/ManagerTest.php b/module/VuFind/tests/unit-tests/src/VuFindTest/Auth/ManagerTest.php
index fda3e408b90c30aa09337863992fd27e732913d1..5eba35bc793c1ad76c52ee2ce1bad45bd78ec3c4 100644
--- a/module/VuFind/tests/unit-tests/src/VuFindTest/Auth/ManagerTest.php
+++ b/module/VuFind/tests/unit-tests/src/VuFindTest/Auth/ManagerTest.php
@@ -514,7 +514,15 @@ class ManagerTest extends \VuFindTest\Unit\TestCase
             $pm = $this->getMockPluginManager();
         }
         $cookies = new \VuFind\Cookie\CookieManager([]);
-        return new Manager($config, $userTable, $sessionManager, $pm, $cookies);
+        $csrf = new \Zend\Validator\Csrf(
+            [
+                'session' => new \Zend\Session\Container('csrf', $sessionManager),
+                'salt' => 'csrftest'
+            ]
+        );
+        return new Manager(
+            $config, $userTable, $sessionManager, $pm, $cookies, $csrf
+        );
     }
 
     /**