I run into a problem. Following OWASP cheatsheet, I implemented a one-time-use CSRF token system in PHP (basically copy&paste from OWASP). Each form or link (link that generate some action) will create its own CSRF token, once it's used, it will be deleted. Application is a website, so multiples tabs could be opened at the same time.
The problem is that each time it load a page, it create a new CSRF token (even if you just hit reload and not send the form). For example, in the admin panel, there's a list of the items, each item could be deleted with a link which have a CSRF token (same CSRF token for all links), but if you reload the page, a new csrf is generated.
At the end of the day, I ended with more un-used tokens than I wanted to. This is a problem in certain servers.
TLDR; I generate a token per request. I deleted all used token (except for ajax request tokens, that after an hour I delete then). My problem is with UNUSED tokens, at the end of the day, there're too many of them.
