The policy for our cloud has been changed so that the user is logged out after 18 hours. This effectively means that every single day a user has to log in and they are logged out probably while they are sleeping getting ready for the next day. The 6 hours of inactivity is long enough for the CSRF tokens to expire, and I repeatedly forget that when I'm prompted to log back in at the start of my day, I'm going to type my secure 16+ character password and then have to type it again because "sorry, your session has timed out". When a session times out, I think either the UX should show an error message immediately so that a user can take action to refresh their session tokens, if a user starts to enter input you could check and show the error then, or you could just accept the password because you're in a login process so it's unclear why stale tokens would better in this case provided the authentication process succeeds. Maybe it's hard to provide different session tokens after the authentication finishes? In any case, this is a huge annoyance and discourages secure passwords.