#li3 > Lithium Documentation > lithium/security/validation/RequestToken

The `RequestToken` class creates cryptographically-secure tokens and keys that can be used to
validate the authenticity of client requests.

`RequestToken` will persist the token for the life of
the client session, and generate per-request keys that will match against that token.

Using these token/key pairs in forms and other non-idempotent requests will help you secure your
application against cross-site request forgeries, or CSRF attacks.

### Example

{{{
// views/comments/add.html.php:
// ...
<?=$this->form->create($object); ?>
	<?=$this->security->requestToken(); ?>
	// Other fields...
<?=$this->form->end(); ?>
}}}

{{{
// controllers/CommentsController.php:
public function add() {
	if ($this->request->data && !RequestToken::check($this->request)) {
		// Key didn't match the CSRF token. Regenerate the session token and
		// prompt the user to retry the form submission.
		RequestToken::get(array('regenerate' => true));
		return;
	}
	// Handle a normal request...
}
}}}

Links

Cross-Site Request Forgeries

Related

Links