Simulate form token to solve the problem of front-end and back-end separation of CSRF attacks

Time:2019-10-8

CSRF cross-station request forgery.
As you all know, when previous projects did not use front-end and back-end separation schemes, mature framework solutions added hidden columns to form forms, so that they would be validated every time they submitted.tokenUse once and destroy. For example:

<form action="//rasp.oneasp.com/account/modifyPassword">
  <input .....>
  <input type="hidden" name="__token__" value="xxxxxxx"/>
</form>

In the case of front-end and back-end separation, how to achieve it?
Simply, through cookies, redis.
The server provides an interface (guaranteed under the same domain name), generates _token_, and writes _token_to redis and cookies. When the front end calls the interface again, bring this token. Use it once and destroy it from redis.

public function testAction(){
    $_token_ = md5(uniqid());
    ... Save token in redis
    setcookie('_token_', $_token_, time()+(24*3600), '/');
    return false;
}

You have any good plan, you can leave a message to discuss.