I store a unique token in the session, but it’s the only thing I store, however…
> you have to destroy that session variable. If the user reloads the form with invalid
> values, the security token may be regenerated and would then be deemed invalid.
You do not need to destroy that given variable, generated for that given request, because you can reuse it… What I do is to preserve the unique token from past request, as well as the current request in an array;
You only ever need to keep two versions of the token at any one time, so in your form validation script, if the unique token passed in the form doesn’t match one, it’ll definitely match it’s opposite
Here is some script, which is executed once the Request is instantiated,
final class QRequest_Filter_Unique implements QFilter_Interface {
private $queue_name;
public function __construct( $queue_name ) {
$this -> queue_name = $queue_name;
}
public function process() {
$args = func_get_args();
$dataspace = array_shift( $args );
$queue = array();
$unique = QCommon::unique();
if( $queue = $dataspace -> get( '__session' ) -> get( $this -> queue_name ) ) {
if( is_array( $queue ) && count( $queue ) >= 2 ) {
array_shift( $queue );
}
}
$queue[] = $unique;
$dataspace -> set( $this -> queue_name, $unique );
$dataspace -> get( '__session' ) -> set( $this -> queue_name, $queue );
}
}
Problem solved.