diff --git a/public/include/classes/user.class.php b/public/include/classes/user.class.php
index de2a3266..9b22c379 100644
--- a/public/include/classes/user.class.php
+++ b/public/include/classes/user.class.php
@@ -801,8 +801,10 @@ class User extends Base {
     $month = $data[0];    $day = $data[1];      $year = $data[2];
     $hour = $data[3];     $minute = $data[4];   $second = $data[5];
     $seed = $this->salty;
-    // X second lead time on each minute
-    if ($minute == 59 && $second > (60-$this->config['csrf']['options']['leadtime'])) {
+    $lead = $this->config['csrf']['options']['leadtime'];
+    if ($lead >= 11) { $lead = 10; }
+    if ($lead <= 0) { $lead = 3; }
+    if ($minute == 59 && $second > (60-$lead)) {
       $minute = 0;
       $fhour = ($hour == 23) ? $hour = 0 : $hour+=1;
     }
diff --git a/public/include/config/global.inc.dist.php b/public/include/config/global.inc.dist.php
index 6ccf2b84..fddace83 100644
--- a/public/include/config/global.inc.dist.php
+++ b/public/include/config/global.inc.dist.php
@@ -134,7 +134,7 @@ $config['twofactor']['options']['changepw'] = true;
  *
  * Options:
  *   enabled    =   Whether or not we will generate/check for valid CSRF tokens
- *   leadtime   =   1 minute + leadtime seconds for reseeding tokens
+ *   leadtime   =   Length of time in seconds to give as leeway, 1-10s
  *   login      =   Use and check CSRF tokens for the login forms
  *
  * Default:
diff --git a/public/include/pages/login.inc.php b/public/include/pages/login.inc.php
index 027c1e04..5c26848d 100644
--- a/public/include/pages/login.inc.php
+++ b/public/include/pages/login.inc.php
@@ -25,7 +25,8 @@ if ($setting->getValue('maintenance') && !$user->isAdmin($user->getUserId($_POST
       $_SESSION['POPUP'][] = array('CONTENT' => 'Unable to login: '. $user->getError(), 'TYPE' => 'errormsg');
     }
   } else {
-    $_SESSION['POPUP'][] = array('CONTENT' => 'Unable to login: Token expired', 'TYPE' => 'errormsg');
+    $img = "<img src='site_assets/mpos/images/questionmark.png' title='Tokens are used to help us mitigate attacks; Simply login again to continue' width='20px' height='20px'>";
+    $_SESSION['POPUP'][] = array('CONTENT' => "Login token expired, please try again $img", 'TYPE' => 'info');
   }
 } else if (@$_POST['username'] && @$_POST['password']) {
   $_SESSION['POPUP'][] = array('CONTENT' => 'Unable to login: '. $user->getError(), 'TYPE' => 'errormsg');