diff --git a/controller.go b/controller.go
index 71287811..c9d5b72c 100644
--- a/controller.go
+++ b/controller.go
@@ -452,7 +452,7 @@ func (c *Controller) XsrfToken() string {
 			} else {
 				expire = int64(XSRFExpire)
 			}
-			token = string(utils.RandomCreateBytes(15))
+			token = string(utils.RandomCreateBytes(32))
 			c.SetSecureCookie(XSRFKEY, "_xsrf", token, expire)
 		}
 		c._xsrf_token = token