Csrf
Csrf gives you a small session-backed token guard for state-changing requests.
Use it when you need to issue a token during page rendering and verify that the same request later posts it back before you mutate application state.
What the package provides
Quantum\Csrf\Csrffor token generation and validation- helper access through
csrf()andcsrf_token() - single-use validation that clears the stored token after a successful match
Quick example
Render a token into a form:
<input type="hidden" name="csrf-token" value="<?= csrf_token(); ?>">
Validate it before handling a state-changing request:
csrf()->checkToken(request());
How it works in practice
The package stores one token in the current session under csrf-token.
csrf_token()creates the token the first time you call it in the current token lifecycle- repeated calls return the same stored token until validation succeeds or the session entry is cleared
checkToken()compares the incoming request token with the session token and then deletes the stored token on success
That makes the default flow single-use.
Important behavior
- the package keeps only one active token per session at a time
- successful validation removes the token from both session storage and the current request object
- missing or mismatched tokens throw
CsrfException csrf_token()depends onAPP_KEY; if that value is missing, the helper throws an app exception instead of returning a token