diff --git a/pkg/cookies/csrf.go b/pkg/cookies/csrf.go
index 939578a2..6fc55716 100644
--- a/pkg/cookies/csrf.go
+++ b/pkg/cookies/csrf.go
@@ -234,7 +234,7 @@ func decodeCSRFCookie(cookie *http.Cookie, opts *options.Cookie) (*csrf, error)
 		return nil, fmt.Errorf("error getting cookie secret: %v", err)
 	}
 
-	val, t, ok := encryption.Validate(cookie, secret, opts.Expire)
+	val, t, ok := encryption.Validate(cookie, secret, opts.CSRFExpire)
 	if !ok {
 		return nil, errors.New("CSRF cookie failed validation")
 	}
diff --git a/pkg/cookies/csrf_test.go b/pkg/cookies/csrf_test.go
index 085b91df..f791045d 100644
--- a/pkg/cookies/csrf_test.go
+++ b/pkg/cookies/csrf_test.go
@@ -119,9 +119,33 @@ var _ = Describe("CSRF Cookie Tests", func() {
 				Value: encoded,
 			}
 
-			_, _, valid := encryption.Validate(cookie, cookieOpts.Secret, cookieOpts.Expire)
+			_, _, valid := encryption.Validate(cookie, cookieOpts.Secret, cookieOpts.CSRFExpire)
 			Expect(valid).To(BeTrue())
 		})
+
+		It("validates CSRF token using CSRFExpire when Expire is lower", func() {
+			// Set Expire to be much lower than CSRFExpire
+			cookieOpts.Expire = time.Second
+			cookieOpts.CSRFExpire = time.Hour
+
+			privateCSRF.OAuthState = []byte(csrfState)
+			privateCSRF.OIDCNonce = []byte(csrfNonce)
+
+			encoded, err := privateCSRF.encodeCookie()
+			Expect(err).ToNot(HaveOccurred())
+
+			cookie := &http.Cookie{
+				Name:  privateCSRF.cookieName(),
+				Value: encoded,
+			}
+
+			// The cookie should still be valid even though Expire is only 1 second
+			decoded, err := decodeCSRFCookie(cookie, cookieOpts)
+			Expect(err).ToNot(HaveOccurred())
+			Expect(decoded).ToNot(BeNil())
+			Expect(decoded.OAuthState).To(Equal([]byte(csrfState)))
+			Expect(decoded.OIDCNonce).To(Equal([]byte(csrfNonce)))
+		})
 	})
 
 	Context("Cookie Management", func() {