7
votes
CSRF error on registration page
Hi,
I got a CSRF error on the registration page, probably a timeout because I read the terms and privacy policy before going on with the registration. :)
That's a bad first impression for users and should be avoided.
Chris
Ah, I think this would be because I have the default logged-out session timeout set to 10 minutes, and extend it to much longer once someone logs in. Since the site isn't accessible to logged-out users right now anyway, I didn't want to keep a bunch of useless sessions around (from people that just looked at the site but couldn't log in or register anyway) and thought I could just set a very low timeout for them.
I didn't think about the effect on CSRF for registering though, thanks for pointing that out. I'll bump it up to an hour or so. That's still quite low but should get rid of issues like this one.
I wonder if that was due to a session timeout? In any event, good to know.