The token is regenerated every time the page loads/refreshes.
I don't have a problem with loading classes manually. I do it all the time when I need to. The reason I suggested the core/init.php file is because that's where the database connection info, the cookie info, and the token info are stored. Plus it autoloads the classes to boot.... That might actually be the bulk of your problem.
The way it works (if I remember correctly is:
1. core/init.php defines the core information needed (connections, cookies, etc) and then autoloads the classes.
2. The config class parses all this stuff into a format the other classes can use.
3. The other classes do their thing.
So, about the token. It can be checked at any point during the process, it just needs to know where to look for the token. The default area is $_POST['csrf']
I do this check somewhere at the top of any time I post user input
Code:
$token = $_POST['csrf'];
Code:
if(!Token::check($token)){
Code:
die('Token doesn\'t match!');
Code:
//The rest of my code including jQ and AJAX.
I wrote some code for the join.php file that I wound up pulling out. Let me go back to github and see if I can find what I did to use the token during an AJAX call which should be similar.
One more note. You can always echo out the token at all times to see what the system thinks it is.
Instead of doing something like
Code:
<input type="hidden" name="csrf" value="<?=Token::generate();?>" >
You can (at the top of your page do
Code:
$csrf = Token::generate();
Code:
bold($csrf); //Just echoes out your token in a bold font with a white background
Then on the form you just do
Code:
<input type="hidden" name="csrf" value="<?=$csrf?>" >
Then, to see what's going on, you can do something like
Code:
$token = $_POST['csrf'];
//see what token was sent to the parser
Code:
if(!Token::check($token)){
Code:
die('Token doesn\'t match!');
Code:
//die('Token matches');
Something like that. Anyway, the point is that the token doesn't need to be a secret to you.