Nope, I'm not pitching consulting services. I joined the conversation at the request of a member of my ops team, I am stating that allowing a token to remain valid for 30 days needlessly increases the attack surface of the application.

In T4806#98677, @epriestley wrote:

Cross site request forgery (CSRF) attacks specifically take advantage of persistent session tokens and use them to take action as the user that was granted the token.

We rotate CSRF tokens. They are not the same as session tokens.

The tokens that allow for persistent access to a site can be used for CSRF attacks. Do you have specific protections in place to keep this from happening?

There are actually legitimate security controls when you have sessions that don't expire. Cross site request forgery (CSRF) attacks specifically take advantage of persistent session tokens and use them to take action as the user that was granted the token.