Hello

In general this would be a nice idea because it creates adequate shuffled strings. But this way we would hashing the same strings with the same results on every request again and again.

Of course but the again and again only applies on pages that contain a forms. If people just read the threads or postings, nothing will generated.

Yes, that's correct. Where hashing gets not performed, it got not performed. Even on the registration page, this should not be problematic In the posting form it can has a performance impact if the forum is well frequented. In that case it's (for me) much more reasonable to generate new, different hashes very time instead the same hash again and again.

What's with generating the hash from the field name (for the readability of the code) and the CSRF-token that gets generated for every single of the affected forms?

This sounds nicely and we can remove the hidden field of the CSRF-token because each field name is like a CSRF.

Would this make the token field really obsolete?

# before generating the form (PHP code, can also be done with the Smarty engine)
$smarty->assign('new_user_name', md5("new_user_name" . $_SESSION['csrf_token']));

The overhead of this solution is, that we have to define variables for each field.

Yes, we have to do this in PHP or in Smarty and in Smarty it seems to be a bit shady. All I found about string concatenation in Smarty is very old (forum entries from 2001 to 2003) as well as a bit complicated. I think it's the easiest way to generate the field names in PHP and to transfer it to the Smarty templates afterwards.

Tschö, Auge