Timeout options for mezzio-csrf

Hello,

is it possible to set a timeout for mezzio-csrf? I did not find a use case in the documentation.

If you use mezzio-session-ext then the ini settings can help:

Otherwise, please describe where exactly you want to set the timeout.

I would like to set an expiration time for a form, e.g. login. After submitting the form after the time I would like to return an error to the user. In laminasa this could be done by setting a variable for CSRF. For example:

$this->add([
			'name' => 'login_csrf',
			'type' => Element\Csrf::class,
			'options' => [
				'salt' => 'unique',
				'timeout' => 180
			],
			'attributes' => [
				'id' => 'login_csrf'
			]
		]);

And finally you could return an error ( Csrf::NOT_SAME ) through the validator…

See in the documentation of laminas-form, there will you find the correct option keys:

use Laminas\Form\Element;
use Laminas\Form\Form;

$form = new Form('my-form');
$form->add([
    'type' => Element\Csrf::class,
    'name' => 'csrf',
    'options' => [
        'csrf_options' => [
            'timeout' => 600,
        ],
    ],
]);

This will set the options for the underlying CSRF validator:

We misunderstood each other. According to the recommendations in the mezzio project, you should not use laminas-session if you are using mezzio-session and mezzio-session-ext, which is what laminas validator csrf - laminas-session requires:

My question is about setting the timeout option for mezzio-csrf.

This means that you cannot use the CSRF element of laminas-form like this. You must set a custom CSRF validator to the form element.

1 Like

Instead of the form element, use the middleware of mezzio-csrf.