You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
| CookieSecure | `bool` | Indicates if the CSRF cookie is secure. | false |
107
107
| CookieHTTPOnly | `bool` | Indicates if the CSRF cookie is HTTP-only. | false |
108
108
| CookieSameSite | `string` | Value of SameSite cookie. | "Lax" |
109
-
| CookieSessionOnly | `bool` | Decides whether the cookie should last for only the browser session. Ignores Expiration if set to true. | false |
110
-
| Expiration| `time.Duration` | Expiration is the duration before the CSRF token will expire. | 1 * time.Hour |
109
+
| CookieSessionOnly | `bool` | Decides whether the cookie should last for only the browser session. (cookie expires on close). | false |
110
+
| IdleTimeout | `time.Duration` | IdleTimeout is the duration of inactivity before the CSRF token will expire. | 30 * time.Minute |
111
111
| KeyGenerator | `func() string` | KeyGenerator creates a new CSRF token. | utils.UUID |
112
112
| ErrorHandler | `fiber.ErrorHandler` | ErrorHandler is executed when an error is returned from fiber.Handler. | DefaultErrorHandler |
113
113
| Extractor | `func(fiber.Ctx) (string, error)` | Extractor returns the CSRF token. If set, this will be used in place of an Extractor based on KeyLookup. | Extractor based on KeyLookup |
114
114
| SingleUseToken | `bool` | SingleUseToken indicates if the CSRF token be destroyed and a new one generated on each use. (See TokenLifecycle) | false |
115
115
| Storage | `fiber.Storage` | Store is used to store the state of the middleware. | `nil` |
116
116
| Session | `*session.Store` | Session is used to store the state of the middleware. Overrides Storage if set. | `nil` |
117
-
| SessionKey | `string` | SessionKey is the key used to store the token in the session. | "csrfToken" |
118
117
| TrustedOrigins | `[]string` | TrustedOrigins is a list of trusted origins for unsafe requests. This supports subdomain matching, so you can use a value like "https://*.example.com" to allow any subdomain of example.com to submit requests. | `[]` |
119
118
120
119
### Default Config
@@ -124,11 +123,10 @@ var ConfigDefault = Config{
124
123
KeyLookup: "header:" + HeaderName,
125
124
CookieName: "csrf_",
126
125
CookieSameSite: "Lax",
127
-
Expiration: 1* time.Hour,
126
+
IdleTimeout: 30* time.Minute,
128
127
KeyGenerator: utils.UUIDv4,
129
128
ErrorHandler: defaultErrorHandler,
130
129
Extractor: FromHeader(HeaderName),
131
-
SessionKey: "csrfToken",
132
130
}
133
131
```
134
132
@@ -144,12 +142,11 @@ var ConfigDefault = Config{
144
142
CookieSecure: true,
145
143
CookieSessionOnly: true,
146
144
CookieHTTPOnly: true,
147
-
Expiration: 1* time.Hour,
145
+
IdleTimeout: 30* time.Minute,
148
146
KeyGenerator: utils.UUIDv4,
149
147
ErrorHandler: defaultErrorHandler,
150
148
Extractor: FromHeader(HeaderName),
151
149
Session: session.Store,
152
-
SessionKey: "csrfToken",
153
150
}
154
151
```
155
152
@@ -304,7 +301,7 @@ The Referer header is automatically included in requests by all modern browsers,
304
301
305
302
## Token Lifecycle
306
303
307
-
Tokens are valid until they expire or until they are deleted. By default, tokens are valid for 1 hour, and each subsequent request extends the expiration by 1 hour. The token only expires if the user doesn't make a request for the duration of the expiration time.
304
+
Tokens are valid until they expire or until they are deleted. By default, tokens are valid for 30 minutes, and each subsequent request extends the expiration by the idle timeout. The token only expires if the user doesn't make a request for the duration of the idle timeout.
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments