diff --git a/services/src/main/java/org/keycloak/services/resources/WelcomeResource.java b/services/src/main/java/org/keycloak/services/resources/WelcomeResource.java
index 87106145cfba..0bda3a0771d4 100755
--- a/services/src/main/java/org/keycloak/services/resources/WelcomeResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/WelcomeResource.java
@@ -116,9 +116,7 @@ public Response createUser(final MultivaluedMap<String, String> formData) {
                 throw new WebApplicationException(Response.Status.BAD_REQUEST);
             }
 
-            String cookieStateChecker = getCsrfCookie();
-            String formStateChecker = formData.getFirst("stateChecker");
-            csrfCheck(cookieStateChecker, formStateChecker);
+            csrfCheck(formData);
 
             String username = formData.getFirst("username");
             String password = formData.getFirst("password");
@@ -183,7 +181,7 @@ private Response createWelcomePage(String successMessage, String errorMessage) {
                 map.put("localUser", isLocal);
 
                 if (isLocal) {
-                    String stateChecker = updateCsrfChecks();
+                    String stateChecker = setCsrfCookie();
                     map.put("stateChecker", stateChecker);
                 }
             }
@@ -242,25 +240,23 @@ private boolean isLocalAddress(InetAddress inetAddress) {
         return inetAddress.isAnyLocalAddress() || inetAddress.isLoopbackAddress();
     }
 
-    private String updateCsrfChecks() {
-        String stateChecker = getCsrfCookie();
-        if (stateChecker != null) {
-            return stateChecker;
-        } else {
-            stateChecker = Base64Url.encode(KeycloakModelUtils.generateSecret());
-            String cookiePath = uriInfo.getPath();
-            boolean secureOnly = uriInfo.getRequestUri().getScheme().equalsIgnoreCase("https");
-            CookieHelper.addCookie(KEYCLOAK_STATE_CHECKER, stateChecker, cookiePath, null, null, -1, secureOnly, true);
-            return stateChecker;
-        }
+    private String setCsrfCookie() {
+        String stateChecker = Base64Url.encode(KeycloakModelUtils.generateSecret());
+        String cookiePath = uriInfo.getPath();
+        boolean secureOnly = uriInfo.getRequestUri().getScheme().equalsIgnoreCase("https");
+        CookieHelper.addCookie(KEYCLOAK_STATE_CHECKER, stateChecker, cookiePath, null, null, -1, secureOnly, true);
+        return stateChecker;
     }
 
-    private String getCsrfCookie() {
+    private void csrfCheck(final MultivaluedMap<String, String> formData) {
+        String formStateChecker = formData.getFirst("stateChecker");
         Cookie cookie = headers.getCookies().get(KEYCLOAK_STATE_CHECKER);
-        return cookie==null ? null : cookie.getValue();
-    }
+        if (cookie == null) {
+            throw new ForbiddenException();
+        }
+
+        String cookieStateChecker = cookie.getValue();
 
-    private void csrfCheck(String cookieStateChecker, String formStateChecker) {
         if (cookieStateChecker == null || !cookieStateChecker.equals(formStateChecker)) {
             throw new ForbiddenException();
         }