A simple anti-XSRF class.

xsrf.php

<?php

/**
 * A simple anti-XSRF class.
 */
class xsrf
{
	static private $_token = false;

	/**
	 * Generate an XSRF token.
	 *
	 * Generate an XSRF token and store it in a cookie, but first check if the
	 * cookie already exists or if the token is already generated.  Then return it.
	 * See: http://en.wikipedia.org/wiki/Cross-site_request_forgery
	 *
	 * @return string
	 */
	static function token()
	{
		if (($token = get_cookie('xsrf')) !== false)
			self::$_token =& $token;
		elseif (!self::$_token)
		{
			self::$_token = generate_hash(generate_salt());
			set_cookie('xsrf', self::$_token);
		}

		return self::$_token;
	}

	/**
	 * Compare XSRF token with $token.
	 *
	 * @param string $token
	 * @return boolean
	 */
	static function check_cookie($token)
	{
		if (!self::$_token)
			self::token();

		return $token == self::$_token;
	}

	/**
	 * Return a hidden form field with the XSRF token.
	 *
	 * @return string
	 */
	static function form_html()
	{
		if (!self::$_token)
			self::token();

		return '<input type="hidden" name="xsrf_token" value="'.self::$_token.'" />';
	}
}