I've got the following issue on my mind: I built some kind of generic fieldset which I want to use in all my standard forms. It contains a CSRF-Token and a Submit-Button.
It works great on the client side. But I wonder: If I use this Zend\Form\Element\Csrf where is my logic to proof on the server side that this token is ok. Or is this handled by Zend somewhere in the background?
Thanks!
I use this token and had the same question. The short and sweet answer is that it is handled in the background.
If the token is not correct or if it expires, an error message will be returned. Most likely stating that the form did not originate from the proper location.