[Owasp-csrfguard] cache control default for javascript file
Chris Hyzer
mchyzer at isc.upenn.edu
Wed May 21 03:09:09 UTC 2014
This is the default for the cache control for the javascript file:
# Allows the developer to specify the value of the Cache-Control header in the HTTP response
# when serving the dynamic JavaScript file. The default value is private, maxage=28800.
# Caching of the dynamic JavaScript file is intended to minimize traffic and improve performance.
# Note that the Cache-Control header is always set to "no-store" when either the "Rotate"
# "TokenPerPage" options is set to true in Owasp.CsrfGuard.properties.
org.owasp.csrfguard.JavascriptServlet.cacheControl = private, maxage=28800
Does this mean that if sessions are invalid after 60 minutes, then if the user who has been inactive for some time between 60 minutes and 8 hours tries the app again they will get a CSRF error since the token is from the previous session? I think a more sensible default would be 30 minutes (1800 value) since it is a common (on the low side) session inactivity period that should not cause undo load on the server...
Thoughts?
Thanks,
Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20140521/fd8c5f5c/attachment.html>
More information about the Owasp-csrfguard
mailing list