The Tokens class provides a CSRF type service for form token matching. Multiple tokens may be issued so that the site visitor can use multi-tabbed or multi-windowed browsing. When a token is issued it is added to the token cookie, and when it is matched it is removed from the cookie. There is a maximum amount of tokens that are stored per cookie, which is the “jar_size” config option in config.tokens.php.

For better security, tokens are put in two separate cookies, one for SSL encrypted pages, and one for pages that aren’t SSL encrypted. You can name these cookies, and configure Tokens’ cookies in config.tokens.php

The cookie for SSL encrypted pages is deleted when a site visitor successfully logs in using the Auth class, or logs out using the Auth class. Auth therefore has a dependency on Tokens.


// Use the form open tag to automatically generate a token input
echo Form::open();

// Create the token manually
$tokens = $container['tokens'];
echo '<input type="hidden" name="' . $tokens->name . '" value="' . $tokens->token() . '" />';

// In form processing, simply check if the token matches
if( $tokens->match )
  // The posted value matched one in the cookie ...
  // There was no match ...