Before trying to understand these options, please read the explanation of what G.A.S.P. Comments Protection is here.
This can be a little complicated to understand fully, but don't worry... simply going with the defaults that the plugin provides you will offer seriously good protection against automated spambot comments.
What is the 'Comments Cooldown' option?
If you think about it, how often would you, as a visitor to a site/blog, open up an article and immediately comment on that page within a few seconds?
It never happens. So we thought it made sense to use this normal, human, behaviour to our advantage and block automated spambots from posting to a page.
And this is the cooldown feature.
It is available from within Comments SPAM module.
After a page is loaded, a visitor must wait X seconds before being allowed to post to a site. The unique token they "received" (they didn't actually personally received anything - it's embedded within the comments form) has a cooldown period assigned to it.
So, when a comment is posted to a page, the WordPress Shield Security plugin will look-up the unique token, check that it's being used on the correct page, and check whether the "visitor" actually waited the correct length of time. If they didn't, we know it's a bot.
What is the 'Comment Token Expire' option?
Since all page visits are assigned a unique token with which visitors are allowed to post a comment, that token must be allowed to expire eventually, or a spambot can "save up" these tokens and use them later.
But you don't want your visitors to come to a page, read it and then post a comment only to find it's too late and they lose their comment. So, we disable the submit button for the comment form and give them a message to explain that if they want to post a comment, they'll need to refresh their page. Not a bit hassle.
If you set this value sufficiently high, this wont bother most visitors, but be careful not to make it too large.