CSRF Handler

What is the best way to handle csrf? just session a random hash
$_SESSION[‘csrf’] = md5(mt_rand());
then have it in form as a hidden field then after submission check the validity of this hidden value before processing the data? or how is good to go?

You have the general concept yes. Here is an article from sitepoint which should help: