Changelog

v2.4.0 (2015-08-22)

Various methods will now throw an TokenStorageException if the secret token cannot be appropriately stored or loaded.
Some documentation has been clarified and tests have been improved to better cover different use cases.

Added SingleToken class, which allows lazy loading the token and generating only one token per request.

Token length is now stored in a constant CSRFHandler::TOKEN_LENGTH instead of a protected member, as it should have been from the start.
Use HMAC-SHA256 for generating the encrypted token instead of XOR cipher.
CookieStorage now allows secure and httpOnly parameters in the constructor, which default to false and true.
Added NonceValidator class for using nonce tokens.

Improvements in code quality and documentation
The library now prefers hash_equals for constant time string comparison on PHP version 5.6 and later.
Added CSRFHandler::isValidatedRequest() to tell if the CSRF token should be validated according to current request method.
Added CSRFHandler::validateRequestToken() to validate the token sent in the request.
Changed CSRFHandler::getRequestToken() to public from protected
CSRFHandler now calls protected method killScript() internally when killing the script via validateRequest().
The SecureRandom library is now only loaded when needed
InvalidCSRFTokenException now extends UnexpectedValueException
CSRFHandler::regenerateToken() now prevents the token from being the same one as previously (should the astronomically unlikely event occur).

The library now depends on riimu/kit-securerandom for random bytes instead of just using openssl_random_pseudo_bytes.
Token storage and source methods are now much more modular and separated into different interfaces/classes
CSRFHandler::setUseCookies() no longer exists. Use the argument in the constructor instead.