Generating CSRF tokens for multiple forms on a single page

Question

I am currently generating a CSRF token in my forms to prevent cross-site request forgery. It looks like:

Answer 1

There really isn't any reason you can't have the same generated token for both forms, with each hidden field in each form having the same name attribute.

After all, what you are really trying to validate is that a form request is inbound from a user with a valid session, and only one form is going to be actively posted at a time. Thus you are comparing the token posted against a token stored in session for the user. There need not be more than one token value in order to do this.

For your case of needing to update the tokens based on AJAX posts, what you would need to do is, as you say, pass the newly created token back in the AJAX response, then update the hidden field values to the new token value.