[5.2] Allow XSRF (CSRF) cookie lifetime to be set from configuration #14080
Conversation
ghost
changed the title
|
Unlike the session duration, we just need the CSRF token to be valid across two requests. |
|
On a related note, refs #6518. |
|
That is true. However, the issue I was running into was if the difference in time between those two requests is larger than 120 minutes, a token mismatch exception will be thrown on the next request. There is no way to control that margin since it hard coded in. |
|
You could extend the Maybe better, the cookie duration could be moved to a class property or method, so you would just have to redefine this, instead of the whole |
|
Extending the middleware is exactly how I solved it for myself, but I figured someone could run into this problem in the future, hence the pr. I considered implementing the property way that you suggest, but it seemed a simpler fix to just use the configuration since it was already there. I can adjust the pr to utilize a property instead if its ultimately decided that this is worth doing. |
ghost
deleted the
Currently you are unable to set the lifetime of the xsrf cookie. It is currently hard coded at 120 minutes here
This change will allow it to pull the value from the session configuration. Since the default value for 'lifetime' in the session config is also 120, this should be backwards compatible.