Per-session CSRF token helpers using hash_equals for constant-time comparison. Token is regenerated on logout but persists across requests within a session.
PHP
<?php
function csrfToken(): string {
if (session_status() === PHP_SESSION_NONE) session_start();
if (empty($_SESSION['_csrf'])) {
$_SESSION['_csrf'] = bin2hex(random_bytes(32));
}
return $_SESSION['_csrf'];
}
function csrfVerify(?string $submitted): bool {
if (session_status() === PHP_SESSION_NONE) session_start();
$expected = $_SESSION['_csrf'] ?? '';
return is_string($submitted) && $expected !== '' && hash_equals($expected, $submitted);
}
// In your form:
// <input type="hidden" name="_csrf" value="<?= csrfToken() ?>">
// In your handler:
if (!csrfVerify($_POST['_csrf'] ?? null)) { http_response_code(419); exit('CSRF failure'); }Save your own code snippets
Create a free account and build your private vault. Share publicly whenever you want.