We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

Is the token generated by Security::getToken unique?

Hi, I need to generate random unique tokens. Does Security:getToken generate unique tokens? If not, what's the best way to generate such unique random tokens?

Thank you



8.1k
edited Dec '14

The token is rather unique. You can see source code. But token don't need absolutely uniqueness, because token lifetime is limited to two requests - generation in form and check, when form submit to application (server).

P.S. If application use AJAX POST form submit, then it is possible to use other methods of protection without token. See https://www.w3.org/TR/cors/



33.8k

I add to @Oleg answer that you can also use tokens in your AJAX requests (it's just to add another POST variable, but I didn't tried it) (accepted answer) https://forum.phalcon.io/discussion/3965/problem-with-csrf