marianek.pl/autoload/Shared/Security/CsrfToken.php

<?php
namespace Shared\Security;

class CsrfToken
{
    const SESSION_KEY = 'csrf_token';

    public static function getToken(): string
    {
        if (empty($_SESSION[self::SESSION_KEY])) {
            $_SESSION[self::SESSION_KEY] = bin2hex(random_bytes(32));
        }
        return (string) $_SESSION[self::SESSION_KEY];
    }

    public static function validate(string $token): bool
    {
        $sessionToken = isset($_SESSION[self::SESSION_KEY]) ? (string) $_SESSION[self::SESSION_KEY] : '';
        return $sessionToken !== '' && hash_equals($sessionToken, $token);
    }

    public static function regenerate(): void
    {
        $_SESSION[self::SESSION_KEY] = bin2hex(random_bytes(32));
    }
}