I'm writing a login system for a web application. Currently I create a php session and generate a token stored in a PHP session variable before any HTML or other output. That token is read in JavaScript from the php session by a simple embedded PHP echo and stored briefly in a javascript variable. It is then sent in all ajax requests and if the token sent in the ajax request doesn't match the token stored in the PHP session, the ajax call is aborted. An alternative would be to make a ajax call DOMContentLoaded to a php script, generate the token, store a hash is mysql, and return the unhashed token via ajax response and store it in a JavaScript variable. On subsequent ajax calls within the same page, I could return a new token each time to be used in a subsequent ajax call.
My question is whether the storing the token primarily in the PHP Session but still reading it via php echo into a JavaScript variable is more secure than returning the token via ajax and storing it in a JavaScript variable. The ajax method has the advantage of allowing a new token to be generated and returned on each ajax call.
I have tried updating the token in the php session during an ajax call but client side code that uses PHP echo of the session variable into a JavaScript variable doesn't receive the new value created during the ajax call because the client page hasn't reloaded. This isn't a problem if the token is stored in mysql and returned to the client via ajax.
