~tsileo/microblog.pub#132: 
Make CSRF token expiration configurable

Currently CSRF token timeout is hard-coded at 1800 seconds. This often becomes inconvenient when I want to perform an action on a page that I loaded a while ago. A couple of typical cases:

  • Reading the timeline on a phone is often done in small chunks of time, so I load a page and slowly scroll through it. If I attempt to like something later than half an hour, it fails with a CSRF error. Reloading the page is also not ideal because it loses my reading position.
  • Writing any non-trivial post may take longer than 30m, especially if I have to look up/research something.

For myself, I don't see much threat from increasing CSRF lifetime to something on the order of several hours, so I would like to have that option.

Status
RESOLVED IMPLEMENTED
Submitter
~nevkontakte
Assigned to
No-one
Submitted
1 year, 8 months ago
Updated
1 year, 7 months ago
Labels
No labels applied.

~tsileo REPORTED IMPLEMENTED 1 year, 7 months ago

Hey, I just added support for a new csrf_token_exp config item (and also extended the default one to 3600 seconds).

Thanks!

~nevkontakte 1 year, 7 months ago

Thank you!

Register here or Log in to comment, or comment via email.