[Owasp-csrfguard] cache control default for javascript file

[Chris Hyzer]

This is the default for the cache control for the javascript file:

# Allows the developer to specify the value of the Cache-Control header in the HTTP response
# when serving the dynamic JavaScript file. The default value is private, maxage=28800.
# Caching of the dynamic JavaScript file is intended to minimize traffic and improve performance.
# Note that the Cache-Control header is always set to "no-store" when either the "Rotate"
# "TokenPerPage" options is set to true in Owasp.CsrfGuard.properties.
org.owasp.csrfguard.JavascriptServlet.cacheControl = private, maxage=28800


Does this mean that if sessions are invalid after 60 minutes, then if the user who has been inactive for some time between 60 minutes and 8 hours tries the app again they will get a CSRF error since the token is from the previous session?  I think a more sensible default would be 30 minutes (1800 value) since it is a common (on the low side) session inactivity period that should not cause undo load on the server...

Thoughts?

Thanks,
Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20140521/fd8c5f5c/attachment.html>