public static method

Checks a single-use hash key against the session token that generated it, using a cryptographically-secure verification method. Accepts either the request key as a string, or a Request object with a $data property containing a ['security']['token'] key.

For example, the following two controller code samples are equivalent:

$key = $this->request->data['security']['token'];

if (!RequestToken::check($key)) {
	// Handle invalid request...
if (!RequestToken::check($this->request)) {
	// Handle invalid request...


  • mixed $key

    Either the actual key as a string, or a Request object containing the key.

  • array $options

    The options to use when matching the key to the token:

    • 'sessionKey' string: The key used when reading the token from the session.



Returns true if the hash key is a cryptographic match to the stored session token. Returns false on failure, which indicates a forged request attempt.


	public static function check($key, array $options = []) {
		$defaults = ['sessionKey' => 'security.token'];
		$options += $defaults;
		$session = static::$_classes['session'];

		if (is_object($key) && isset($key->data)) {
			$result = Set::extract($key->data, '/security/token');
			$key = $result ? $result[0] : null;
		return Password::check($session::read($options['sessionKey']), (string) $key);