In a code i have seen this creation of token for a login page:
$token = $_SESSION['token'] = md5(uniqid(mt_rand(),true));
Then this token is echoed as a hidden input in the login form and on submitted, php code to validate login also checks this token like:
public function isTokenValid()
return (!isset($_SESSION['token']) || $this->_token != $_SESSION['token'])? 0 : 1;
What is the use of this token ?
This page is describes the use of it: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet