Generate a CSRF token cookie. This cookie is intentionally not HttpOnly so that frontend
JavaScript can read it and inject the value as a request header for double-submit verification.
The CSRF cookie uses a fixed 400-day MAX-AGE rather than matching the auth cookie duration. 400
days is the cross-browser safe maximum (Chrome caps cookie lifetimes at 400 days; other browsers
accept it as-is). The CSRF token is only meaningful when paired with a valid JWT, so it doesn't
need its own expiration management. It gets regenerated on every fresh login.
Generate a CSRF token cookie. This cookie is intentionally not
HttpOnlyso that frontend JavaScript can read it and inject the value as a request header for double-submit verification.The CSRF cookie uses a fixed 400-day MAX-AGE rather than matching the auth cookie duration. 400 days is the cross-browser safe maximum (Chrome caps cookie lifetimes at 400 days; other browsers accept it as-is). The CSRF token is only meaningful when paired with a valid JWT, so it doesn't need its own expiration management. It gets regenerated on every fresh login.