This topic is continue of this : http://forum.phalcon.io/discussion/310/csrf-protection I investigate this issue a little bit more. And the problem is: $_SESSION['$PHALCON/CSRF/KEY$'] is stored only the FIRST Key/Token ["$PHALCON/CSRF/KEY$"]=> string(16) "FoIgjaYm9vqIbiy9" ["$PHALCON/CSRF$"]=> string(32) "e44ceca0a75c12e5b55d4a519d8fcc90" And when you posting for example form #4 tokens mismatch! Sadly... Anybody knows how to trick with it? How to store array of tokens and check over array? Maybe I missed something?