HomePhabricator

Keep CSRF tokens valid for longer

Description

Keep CSRF tokens valid for longer

Invalidating the CSRF token on each form submit is inconvenient: it
prevents users from using the tool in multiple tabs at once, because the
different tabs will fight over the last valid CSRF token. It seems to be
acceptable to keep the token valid for longer (MediaWiki’s CSRF tokens
are also valid for a long time); to provide *some* way to invalidate it,
clear the token on each successful login.

Details

Provenance
LucasWerkmeisterAuthored on Oct 17 2020, 2:34 PM
Parents
R2362:36c80aae9f87: Add /logout route
Branches
Unknown
Tags
Unknown
ChangeId
None