security


Invalidating form tokens in Drupal 7

I wanted to invalidate the CSRF token generated by drupal_get_token once the user had submitted a form, to ensure that we didn’t get a double submit. Drupal 7 generates tokens based on a combination of things, including the PHP session id. A simple call to session_regenerate_id() will cause the token generated by drupal_get_token to change… Read More