Published 19 years 1 month ago • Last updated March 22, 2025 • ⏱️ < 1 min read
A form token provides protection against forms of attacks against your site (e.g.CSRF *), which allows a hacker to use your form in a way it wasn't intended. The idea being that a form token appears as a hidden field that can only be used once.
It should be a random key, which is longer than 5 characters, and ideally mixed case alphanumeric and non-alphanumeric characters that is then hashed using MD5 or SHA1 or similar hashing method with a salt *. The form token should only be able to be used for that session and that user.
Before a sensitive action is performed for example buying a product, you check that the form token was sent correctly and matches the one you stored on the server for that user. If the token matches then the action is performed and the token cannot be used again, if it does not match the action will not be performed.