Auth0 Home Blog Docs

Can the _csrf cookie on the hosted login page have a shorter max-age?


For our company’s data retention policy, we require that all cookies we set expire after a maximum of 2 years.
We’re using the hosted login page with a custom domain, and we noticed that there is a _csrf cookie being set with a max-age of 864000000 seconds (~27 years).
Is it possible for the _csrf token to be set to expire sooner than that?


Hey @joshuak. There’s no way to configure the duration of the cookie, but it could definitely be set to a much shorter duration. Can you explain this same requirement at That goes directly to the Product team.

closed #3