I've had the same problem with what you state because of single CSRF and it gets replaced unless they submit the latest page, but if you use a array w/session it should solve your problem(s). Also you might want to include a captcha, I'd recommend Google's Recaptcha.
session_start();
function createToken(){
$token = sha1(uniqid(mt_rand(), true));
$_SESSION['Tokens']['Token'][] = $token;
$_SESSION['Tokens']['Time'][] = time() + (10 * 60); #10 min limit
#you can omit/change this if you want to not limit or extend time limit
return $token;
}
function checkToken($token){
clearTokens();
foreach($_SESSION['Tokens']['Token'] as $key => $value){
if($value === $token){
return true;
}
}
return false;
}
function clearTokens(){
foreach($_SESSION['Tokens']['Time'] as $key => $value){
if($value <= time()){
unset($_SESSION['Tokens']['Token'][$key], $_SESSION['Tokens']['Time'][$key]);
#remove last parameter if you aren't using token time limit
}
}
}
your HTML:
<input type="hidden" name="token" value="<?php createToken(); ?>">
PHP Token Checker
if(isset($_POST['token']) && checkToken($_POST['token'])){
#valid token
}else{
#create error message saying that they tried to repost data or session token expired
}