Strange behavior of CSRF tokens with a low csrf_expire (3.1.2)

I don't believe the two regressions effect us, but we've had issues in the past few releases with the image library so we've started waiting a week or so before applying updates. Part of our application requires HTML submission so we use a third party library to filter input.

We've been pen tested twice and neither firm was able to break in. An HSTS policy, LB security policy, some headers, and a few tricks all come together to secure the application. We do auto create sessions but they are not authorized until credentials and CSRF are verified.

Our app is built using RequireJS and has a hook based boot system. It will only respond to requests that conform to our requirements and blocks all other requests. In the /token route for example, system booting is disabled server side and a single route outputs a JSON blob only if certain conditions exist. You can't put that route into your URL bar and receive a response.

I see your point about impersonation, but the only way to properly fix that is to use per request CSRF tokens which we'll have to agree to disagree on. The other security measures we have in place prevent attacks that could be used to steal the users token.

We're getting off topic, thanks for the replies it helped pin down what was going on.

Cheers,