× This forum is read only. As of July 23, 2019, the UserSpice forums have been closed. To receive support, please join our Discord by clicking here. Thank you!

  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Multiple Forms

I have multiple pages where I have several forms, all of which I have the token CSRF token obviously as this is the best practice - however, how do I go about ensuring all forms have the token on submit so the post doesn't die if one of the forms generates a different token?

Sorry if my description doesn't make sense, but I am sure you will understand.

Generate token once and make all forms use it.
ive come across this issue many times and theres loads on stack about this too, if forms are behind login then its not so bad not to use, however i generally use one on 1 form on the page which is better than none
i did see something about generating tokens per session which sounds ideal to me
i done some looking into this and theres two systems worth looking at , the first is here which looks pretty outstanding :


and then theres the wordpress way which is based on session and user id, so one token per user per session which expires i believe after 12 or 24 hours
I've opted to go with moving the token check and generation to the header and echoing $token in each form. Most of my employees aren't too tech-savvy and will try to submit a form multiple times (or even order the same item for a customer several times), and it was easier for me to use the CSRF check already in place than to code checks to see if a form was already submitted.

In other projects though I've used something similar to the library that Firestorm posted above.
@karsen has that not had any issue with invalid token errors? i.e multiple forms per page each with its own form submission?
Since I generate the token in the header, I can simply echo out $token in the forms so all forms use the same $token instead of Token::generate().
argh i see, i'll give that ago, defo gonna look at the token class a little closer, i noticed its using
md5( uniqid() ) so I've changed the class a little,

currently it generates: `<input type="hidden" name="csrf" value="89f378ee3aa6812ace51c50ce5f24e8b">'

but if we change class to:

`class Token {
public static function generate(){
if (function_exists('mcrypt_create_iv')) { //checks if exists as deprecated from php7.1.0
return Session::put(Config::get('session/token_name'), bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)) );
} else {
return Session::put(Config::get('session/token_name'), bin2hex(openssl_random_pseudo_bytes(32)) );

public static function check($token){
$tokenName = Config::get('session/token_name');

if (Session::exists($tokenName) && $token === Session::get($tokenName)) {
return true;
return false;

it generates:
<input type="hidden" name="csrf" value="d400c97e10082978da1541ba27b3f4501d796116a2d466e49740038d30d56883">

which is far less predictable than uniqid()
Nice code, I've added the change to my project and crossed it off my to-do list (it's quite long!).

Forum Jump:

Users browsing this thread: 1 Guest(s)