Re-issueing a token

In my form, I have a token which is saved in a session and must be present when the form is submitted:

$token = hash('sha256', rand() . microtime() . $_SERVER['REMOTE_ADDR']) // rand as possible
$_SERVER['token'] = $token;

Now in the form I 开发者_如何学JAVAhave a hidden value:

<input type="hidden" name="token" value="<?php echo $token;?>">

When this form I submitted I check whether it matches the token in the session:

if ($_POST['token'] !== $_SESSION['token'])
{
// show error here
}
else
{
//carry on normally
}

However, what happens if the user fills in the form incorrectly? I can't change the token again in the session because output has already been sent. What do you suggest?

I suggest not to send any output as long as you are not ready with your headers, Sessions and so on. You can produce your output at the end of the request, or (if the first solution is not possible) look at the manual "output buffering".

You can change things in the session even though output has been sent. You can't start the session after content has been sent, but once you've sent the session headers (which should be one of the first things that you do) you can modify data in the session at any time during the request.