How to use the key and user type features?

[schlomo]

Reading through the source code

csrf-magic/csrf-magic.php

Lines 306 to 324 in 7d3527a

	switch ($type) {
	case 'sid':
	return $value === csrf_hash(session_id(), $time);
	case 'cookie':
	$n = $GLOBALS['csrf']['cookie'];
	if (!$n) return false;
	if (!isset($_COOKIE[$n])) return false;
	return $value === csrf_hash($_COOKIE[$n], $time);
	case 'key':
	if (!$GLOBALS['csrf']['key']) return false;
	return $value === csrf_hash($GLOBALS['csrf']['key'], $time);
	// We could disable these 'weaker' checks if 'key' was set, but
	// that doesn't make me feel good then about the cookie-based
	// implementation.
	case 'user':
	if (!csrf_get_secret()) return false;
	if ($GLOBALS['csrf']['user'] === false) return false;
	return $value === csrf_hash($GLOBALS['csrf']['user'], $time);
	case 'ip':

I was wondering how to use the key or user feature. Could you provide an example of how to create a static secret to put into a form?

Background is having an automatic login into a form-based authentication that has csrf protection.

[netniV]

To me, there is no real difference between the use of 'key' or 'user'. Both of these are using generic strings within the data that are then hashed. There is no additional functionality when using 'key' though I'm happy for someone to correct me on that.

In my v1.1.0 patch, I did add the ability to turn off using session_id() as the primary method of generating a secure key, though I'm not sure why you would want to imho as having a static secret mains that once known, it's the same as not having one.