02-24-2016, 11:09 PM
On the first question, if you include the init, that auto includes all the classes and makes them work right.
The token thing...that's tricky. Every time there is a new session a new token is generated to prevent the CSRF attacks. I think the trick is to check the token while you're still on the existing page, and THEN send them to your parser file (that other file with the php/jquery in it).
So, regardless of where the rest of your form processing happens, do the token check on the page with the form itself. The whole point is that the input was from the same session you displayed the page on. After that, the data is all server side, so there's really no place for a cross site or man in the middle attack on it.
The token thing...that's tricky. Every time there is a new session a new token is generated to prevent the CSRF attacks. I think the trick is to check the token while you're still on the existing page, and THEN send them to your parser file (that other file with the php/jquery in it).
So, regardless of where the rest of your form processing happens, do the token check on the page with the form itself. The whole point is that the input was from the same session you displayed the page on. After that, the data is all server side, so there's really no place for a cross site or man in the middle attack on it.