// This code is brought to you by Sean Coates (seancoates.com):

<?php

namespace app\extensions\helper;
use \app\extensions\storage\Session;
use \lithium\util\String;

class Form extends \lithium\template\helper\Form
{
	protected function _render($method, $string, $params, array $options = array()) {
		if ($docsrf = isset($params['options']['docsrf'])) {
			unset($params['options']['docsrf']);
		}
 
		// get default
		$ret = parent::_render($method, $string, $params, $options);
 
		// if we're not already in a create chain, and if we're docsrf...
		if (((get_parent_class($this) . '::create') == $method
			|| (get_class($this) . '::create') == $method)
			&& $docsrf) {
			// append a hidden field with the token
			$ret .= $this->hidden(
				\app\extensions\action\Request::CSRF_TOKEN_FIELD_NAME,
				array('value' => Session::get_csrf_token())
			);
		}
 
		return $ret;
	}
}

?>

<?php

namespace app\extensions\storage;

class Session extends \lithium\storage\Session
{
	public static function get_csrf_token($replace = false)
	{
		$token = null;
		if (!$replace) {
			$token = self::read('csrf_token');
		}
		if ($token) {
			return $token;
		}
 
		// not found (or replacing); generate a new token
		$token = md5(uniqid(microtime(true)));
 
		self::write('csrf_token', $token);
 
		return $token;
	}
 
	public static function check_csrf_token($token)
	{
		return $token === self::read('csrf_token');
	}
 
}

?>