tokens are great tool to prevent csrf attack
for every request made by user , your system must generate a unique token and store it somewhere
the next time the client ask to perform some actions , the system verify if the token exist , and if it still valid
if we store tokens in sessions , then sessions will become too large , an this will cost a lot of memory as the CPU load the entire sessions in ram when responding to a request , and with a CPU of 1Gb for example , and 1000 users with 1 sessions of 1Mb each , the CPU will not handle anything , this could be a typical ddos attack ( to request more and more tokens knowing they are stored in sessions)
in the other side storing tokens in database have his own weakness ,
which method do you use to store tokens ?
