This topic is continue of this : https://forum.phalcon.io/discussion/310/csrf-protection I investigate this issue a little bit more. And the problem is: $_SESSION['$PHALCON/CSRF/KEY$'] is stored only the FIRST Key/Token ["$PHALCON/CSRF/KEY$"]=> string(16) "FoIgjaYm9vqIbiy9" ["$PHALCON/CSRF$"]=> string(32) "e44ceca0a75c12e5b55d4a519d8fcc90" And when you posting for example form #4 tokens mismatch! Sadly... Anybody knows how to trick with it? How to store array of tokens and check over array? Maybe I missed something?
You don't need to create a CSRF token for each form in the page, you can use the same CSRF for all the forms present in the page,
We're not avoiding Cross-Form Request but Cross-Site Request.
The CSRF token is regenerated in every request passed as a hidden value in every form and you'll avoid the Cross-Site Request Forgery as expected.
You can set token before forms, for example:
{% set token_key = security.getTokenKey() %} {% set token = security.getToken() %}...and them use token_key and token in all forms u have. Why not? :) Good luck