Make CSRF token expiration configurable

Currently CSRF token timeout is hard-coded at 1800 seconds. This often becomes inconvenient when I want to perform an action on a page that I loaded a while ago. A couple of typical cases:

  • Reading the timeline on a phone is often done in small chunks of time, so I load a page and slowly scroll through it. If I attempt to like something later than half an hour, it fails with a CSRF error. Reloading the page is also not ideal because it loses my reading position.
  • Writing any non-trivial post may take longer than 30m, especially if I have to look up/research something.

For myself, I don't see much threat from increasing CSRF lifetime to something on the order of several hours, so I would like to have that option.

Assigned to
11 months ago
10 months ago
No labels applied.

~tsileo REPORTED IMPLEMENTED 10 months ago

Hey, I just added support for a new csrf_token_exp config item (and also extended the default one to 3600 seconds).


~nevkontakte 10 months ago

Thank you!

Register here or Log in to comment, or comment via email.