https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17110
--- Comment #9 from Marcel de Rooy <[email protected]> --- (In reply to Jonathan Druart from comment #8) > Could you please detail why you need this change? > I will break the following use case: > - Start to fill a form > - *Ring belt end of the day* > - you hurry up to get back at home quickly > - Tomorrow morning, you finish to fill the form > - Submit > - You lost your changes > > Ok it's a bit far-fetched but I don't understand what will bring us this > 8-hours limitation. You only need the token between loading the form and submitting it. I do not understand why you need 7 days for doing so? Suppose an attacker got a CSRF token somehow from one user. Now he only needs that user to click on a malicious Koha URL that also sends the token. The amount of danger is obviously directly related to the length of the expiry period. Shorter is better, but should be balanced with ease of use. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
