There aren't any good session-powered CSRF prevention libraries. By good we mean:

• CSRF tokens can be restricted to any or all of the following:
  • A particular session
  • A particular HTTP URI
  • A particular IP address (optional)
• Multiple CSRF tokens can be stored
• CSRF tokens expire after one use
• An upper limit on the number of tokens stored with session data is enforced
  • In our implementation, the oldest are removed first

Warning - Do not use in any project where all $_SESSION data is stored client-side in a cookie. This will quickly run up the 4KB storage max for an HTTP cookie.

See autoload.php for an SPL autoloader.

First, add a filter like this one:

use \ParagonIE\AntiCSRF\AntiCSRF;
$twigEnv->addFunction(
    new \Twig\TwigFunction(
        'form_token',
        function($lock_to = null) {
            static $csrf;
            if ($csrf === null) {
                $csrf = new AntiCSRF;
            }
            return $csrf->insertToken($lock_to, false);
        },
        ['is_safe' => ['html']]
    )
);

Next, call the newly created form_token function from your templates.

<form action="/addUser.php" method="post">
    {{ form_token("/addUser.php") }}

    {# ... the rest of your form here ... #}
</form>

    $csrf = new \ParagonIE\AntiCSRF\AntiCSRF;
    if (!empty($_POST)) {
        if ($csrf->validateRequest()) {
            // Valid
        } else {
            // Log a CSRF attack attempt
        }
    }

If your company uses this library in their products or services, you may be interested in purchasing a support contract from Paragon Initiative Enterprises.