feel free to keep it strictly simple...


The Leptoken should protect the logged on user against Cross Site Request Forgery attacks.


  • When a page is delivered to a logged on user, each internal link is enhanced by a so called Leptoken. This is done by the function addTokens().
  • When the user clicks on a link, the Leptoken will be sent to the server as a GET parameter. The function checkToken() checks whether delivered and returned Leptoken match each other.
  • It is possible to work with multiple browser tabs, because each Leptoken has a certain lifetime. The lifetime is configurable in the Advanced Options --> Secutity Settings --> Leptoken Lifetime. The Leptoken will be deleted only after it reached its lifetime.