Why is the CSRF framework have a minimum value of 10 minutes?

GR_Swaminathan 23-10-2018

The OOTB CSRF Framework has a minimum value of 10 minutes configured by default and cannot be reduced to below this value. What is the logic behind this limitation? Would it be possible for an attacker to use the csrf token to perform an attack.

Accepted Solutions (1)

Accepted Solutions (1)

Anselm_H_ 28-02-2019

I just have an educated guess... See /etc.clientlibs/clientlibs/granite/jquery/granite.js:// refreshing csrf token periodically

setInterval(function() {

    getToken();

}, 300000);

This means that every 5 minutes the CSRF-Token gets refreshed in the Browser. So if you set the time below 10 minutes in the CSRFServlet there would be a risk that a valid Browser-Token is not valid anymore at backend. Values above 10 min are fine, because they will be refreshed every 5 min in the Browser.