diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9d964685..1477c99d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,7 @@
 - [#2685](https://github.com/oauth2-proxy/oauth2-proxy/pull/2685) feat: allow arbitrary claims from the IDToken and IdentityProvider UserInfo endpoint to be added to the session state (@vegetablest)
 - [#3278](https://github.com/oauth2-proxy/oauth2-proxy/pull/3278) feat: possibility to inject id_token in redirect url during sign out (@albanf)
 - [#2851](https://github.com/oauth2-proxy/oauth2-proxy/pull/2851) feat: add support for specifying allowed OIDC JWT signing algorithms (#2753) (@andoks / @tuunit)
+- [#3369](https://github.com/oauth2-proxy/oauth2-proxy/pull/3369) fix: use CSRFExpire instead of Expire for CSRF cookie validation (@Br1an67)
 
 # V7.14.3
 
diff --git a/pkg/cookies/csrf.go b/pkg/cookies/csrf.go
index 939578a2..6fc55716 100644
--- a/pkg/cookies/csrf.go
+++ b/pkg/cookies/csrf.go
@@ -234,7 +234,7 @@ func decodeCSRFCookie(cookie *http.Cookie, opts *options.Cookie) (*csrf, error)
 		return nil, fmt.Errorf("error getting cookie secret: %v", err)
 	}
 
-	val, t, ok := encryption.Validate(cookie, secret, opts.Expire)
+	val, t, ok := encryption.Validate(cookie, secret, opts.CSRFExpire)
 	if !ok {
 		return nil, errors.New("CSRF cookie failed validation")
 	}
diff --git a/pkg/cookies/csrf_test.go b/pkg/cookies/csrf_test.go
index 085b91df..f791045d 100644
--- a/pkg/cookies/csrf_test.go
+++ b/pkg/cookies/csrf_test.go
@@ -119,9 +119,33 @@ var _ = Describe("CSRF Cookie Tests", func() {
 				Value: encoded,
 			}
 
-			_, _, valid := encryption.Validate(cookie, cookieOpts.Secret, cookieOpts.Expire)
+			_, _, valid := encryption.Validate(cookie, cookieOpts.Secret, cookieOpts.CSRFExpire)
 			Expect(valid).To(BeTrue())
 		})
+
+		It("validates CSRF token using CSRFExpire when Expire is lower", func() {
+			// Set Expire to be much lower than CSRFExpire
+			cookieOpts.Expire = time.Second
+			cookieOpts.CSRFExpire = time.Hour
+
+			privateCSRF.OAuthState = []byte(csrfState)
+			privateCSRF.OIDCNonce = []byte(csrfNonce)
+
+			encoded, err := privateCSRF.encodeCookie()
+			Expect(err).ToNot(HaveOccurred())
+
+			cookie := &http.Cookie{
+				Name:  privateCSRF.cookieName(),
+				Value: encoded,
+			}
+
+			// The cookie should still be valid even though Expire is only 1 second
+			decoded, err := decodeCSRFCookie(cookie, cookieOpts)
+			Expect(err).ToNot(HaveOccurred())
+			Expect(decoded).ToNot(BeNil())
+			Expect(decoded.OAuthState).To(Equal([]byte(csrfState)))
+			Expect(decoded.OIDCNonce).To(Equal([]byte(csrfNonce)))
+		})
 	})
 
 	Context("Cookie Management", func() {