I'm a beginner working on a login script in PHP. This is the form token statement that I have so far:
$_SESSION["form_token"] = md5(rand(time (), true)) ;
The statement is issued just after the user indicates that he/she wants to login.
My limited understanding is that the tokens purpose is to identify a unique user at a unique point in time and to disguise the form token information.
Then everything becomes fuzzy. Here are my 3 open questions:
When is the best time to "check" the form token for security purposes?
How do I check it?
When, if ever, do I "destroy" the form token? (IOW, would the form token stay "active" until the user logs out?