When generating a hash for a form token, I've seen a few different versions:
$hash = new Zend_Form_Element_Hash('hihacker', array('salt' => 'exitsalt'));
and
$hash = new Zend_Form_Element_Hash('hash', 'no_csrf_foo', array('salt' => 'unique'));
First of all, does the salt have to be unique for each form render? The second one suggests so, but I'm not sure.
Also which is the better way of doing it?
A unique salt would be better, as it would change each time making it nearly impossible for any would be spammers to auto submit your form.
Even with a constant salt, any would be hacker would be unlikely to be able to break this.
I would suggest creating the element this way
$hash = new Zend_Form_Element_Hash('hash', 'no_csrf_foo', array('salt' => 'unique'));
This way you know that the name of the element is no_csrf_foo, so you can easily get it back later if need be by doing
$form->getElement("no_csrf_foo");
Is there some specific scenario you are afraid of that would make this method of stopping auto form submission insufficient?