How to expire the csrf token?

[funkyboy]

I was wondering, is there a way to tweak the expiration of the csrf token?
Or even better, generate a new random one for each new request?

[funkyboy]

I am trying

before do
  env['rack.session']['csrf.token'] = SecureRandom.urlsafe_base64(32)
end

It works but I am not sure it's the best way and how it impacts on the performance.

[baldowl]

I think it's better if in an after filter you remove the key from session; something like (untested):

after do
  env['rack.session'].delete(Rack::Csrf.key)
end

[funkyboy]

Ok, but if I remove it, will a new random one be generated and injected?

[baldowl]

Nvm, scrap it: it would remove the token before Rack::Csrf had a chance to look at it.

[funkyboy]

So far the "before approach" seems to work. It's tricky in the case of Ajax calls that use themetatag so I went with:

  before do
    unless request.xhr?
      env['rack.session']['csrf.token'] = SecureRandom.urlsafe_base64(32)
    end 
  end