implement Csrf token generation per session. check
how the hacker will get token generated to your session?
there is also a procedure for per request token generation, but i think that is not good approach in yii. problem with per request token generation