mchyzer at isc.upenn.edu
Wed May 21 03:09:09 UTC 2014
# Allows the developer to specify the value of the Cache-Control header in the HTTP response
# Note that the Cache-Control header is always set to "no-store" when either the "Rotate"
# "TokenPerPage" options is set to true in Owasp.CsrfGuard.properties.
Does this mean that if sessions are invalid after 60 minutes, then if the user who has been inactive for some time between 60 minutes and 8 hours tries the app again they will get a CSRF error since the token is from the previous session? I think a more sensible default would be 30 minutes (1800 value) since it is a common (on the low side) session inactivity period that should not cause undo load on the server...
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-csrfguard