diff --git a/src/controllers/api.js b/src/controllers/api.js
index b53e0d0ad1..522e4676e3 100644
--- a/src/controllers/api.js
+++ b/src/controllers/api.js
@@ -57,7 +57,7 @@ apiController.loadConfig = function (req, callback) {
 	config.requireEmailConfirmation = meta.config.requireEmailConfirmation === 1;
 	config.topicPostSort = meta.config.topicPostSort || 'oldest_to_newest';
 	config.categoryTopicSort = meta.config.categoryTopicSort || 'newest_to_oldest';
-	config.csrf_token = req.csrfToken && req.csrfToken();
+	config.csrf_token = !req.isSpider() && req.csrfToken && req.csrfToken();
 	config.searchEnabled = plugins.hasListeners('filter:search.query');
 	config.bootswatchSkin = meta.config.bootswatchSkin || '';
 	config.enablePostHistory = (meta.config.enablePostHistory || 1) === 1;
diff --git a/src/middleware/index.js b/src/middleware/index.js
index 91d5a0e01d..0f5c423614 100644
--- a/src/middleware/index.js
+++ b/src/middleware/index.js
@@ -32,7 +32,15 @@ middleware.regexes = {
 	timestampedUpload: /^\d+-.+$/,
 };
 
-middleware.applyCSRF = csrf();
+const csrfMiddleware = csrf();
+
+middleware.applyCSRF = function(req, res, next) {
+	if (req.uid >= 0) {
+		csrfMiddleware(req, res, next);
+	} else {
+		setImmediate(next);
+	}
+};
 
 middleware.ensureLoggedIn = ensureLoggedIn.ensureLoggedIn(nconf.get('relative_path') + '/login');
 
diff --git a/src/webserver.js b/src/webserver.js
index 76e96a3ffb..1f2477ff88 100644
--- a/src/webserver.js
+++ b/src/webserver.js
@@ -174,8 +174,8 @@ function setupExpressApp(app, callback) {
 		secret: nconf.get('secret'),
 		key: nconf.get('sessionKey'),
 		cookie: setupCookie(),
-		resave: true,
-		saveUninitialized: true,
+		resave: nconf.get('sessionResave') || false,
+		saveUninitialized: nconf.get('sessionSaveUninitialized') || false,
 	}));
 
 	var hsts_option = {