Hi,

In general this would be a nice idea because it creates adequate shuffled strings. But this way we would hashing the same strings with the same results on every request again and again.

Of course but the again and again only applies on pages that contain a forms. If people just read the threads or postings, nothing will generated.

What's with generating the hash from the field name (for the readability of the code) and the CSRF-token that gets generated for every single of the affected forms?

This sounds nicely and we can remove the hidden field of the CSRF-token because each field name is like a CSRF.

# before generating the form (PHP code, can also be done with the Smarty engine)
$smarty->assign('new_user_name', md5("new_user_name" . $_SESSION['csrf_token']));

The overhead of this solution is, that we have to define variables for each field.

/Micha