I have enabled CSRF protection and it's causing a problem in the following scenario.

The session times out and the user clicks on a button that triggers an action that requires the user to be logged in. As the session is now expired, the user is first taken to the login page then redirected to the action. The action url requested by the user is persisted in the login url with the the expired p_auth parameter and this causes an error

I do not want to exclude this action from the CSRF protection. Is there a way to define a default action that is called if there is an expired authentication token? If not then is there a way to solve this issue?

Well, the problem here is that Liferay stores the lastPath. As the lastPath also includes the auth-token, it is kind of tricky here. Liferay detects that the session has expired, and is redirecting to the login page. After the new login, a new authToken gets generated and associated with that session. Now Liferay tries to redirect you to the lastPath stored. Here the old AuthToke is still in place. So much for analysis.

What might work is:

Create your own custom PostLoginAction. In that action you check if the lastPath contains an AuthToke. If so, replace the value of the token with the new one. Save it back to lastPath and cross your fingers. Actually I am not 100% sure is this will work, but I think it should work out.

[EDIT]

This is how you get the new AuthToken:

AuthTokenUtil.getToken(request)

Request would be a HTTPServletRequest Object, which convieniently is a parameter in the Action method.