I got my rss reader (news app) open for a long time, basically i use it like a normal application. After one hour it forces me to reload the page which is really annoying. What about generating the CSRF value for each user and renew it on every login? So the cookie will still be renewed but without ever bugging the user.