A Pet Peeve Regarding Tokenization and Forms

Look, if you are going to tokenize your forms (and you should because of CSRF), you also need to have some active JS (or whatever) on the page that at least hides the form after the last valid token expires. For those of us who leave websites that we sign into open, we are tired of logging in twice! Citi.com I’m looking at you.