It looks like this library was intentionally created to be insecure.

1. Type juggling

function referralHash()
{
    return sha1('192.168.0.1' . 'aMozilla Firefox');
}

function randomString()
{
    return sha1(random_bytes(32));
}

$time = time();
$token = $time . referralHash() . randomString(32);
echo $time, PHP_EOL;
echo $token, PHP_EOL;
var_dump($time == $token);

till the PHP 8.0 123 == '123abc'
that's why it's critical to have === here

2. mt_rand does not generate cryptographically secure values. Given two mt_rand() output values separated by 226 others, it is possible to compute, without any bruteforce, the original seed, and therefore obtain any previous or subsequent mt_rand() output, effectively breaking the PRNG
   Consider reworking randomString() to somethiing like:

protected function randomString(): string
{
    return sha1(random_bytes(32));
}

3. (Just a question)What is the purpose of referralHash()? In CSRF attacks all the requests come from the legitimate user so randomString() + referralHash() is as much secure as randomString()

can't i allow the system randomly generate tokens?
and how should my_token be?

easyCSRF is reporting 'missing CSRF session token'.

I've called $easyCSRF->generate( 'my_token' ) and the value has been output to my html:

<form method="post" ation="/new"> <input type="hidden" name="nonce" value="MTU1MzIwMzkwODNmNzIwNTU1Mzg0Nzk2NjNkZDNkNTk4MjM3OGM0YjE4YzIxZWE5N2N6NDg5cWVyaGFUcVozY1B1TjJEdllLMncwYUdpTENudw==">

When the form is posted, echo'ing $_POST['nonce'] outputs:

MTU1MzIwMzkwODNmNzIwNTU1Mzg0Nzk2NjNkZDNkNTk4MjM3OGM0YjE4YzIxZWE5N2N6NDg5cWVyaGFUcVozY1B1TjJEdllLMncwYUdpTENudw==

Immediatly after echoing, I call:

try { $this->easyCSRF->check('my_token', $_POST['nonce']); } catch(Exception $e) { echo $e->getMessage(); }

and in the browser I get: Missing CSRF session token.

Any advice or suggestions ? Thanks

One issue I see from time to time with organization users (e.g. a university or hospital Wi-Fi) is a changing IP address for users as they browse and load pages. The whole IP doesn't change, just the last group of 3 digits as that's the IP range assigned to the organization. For example, as a user browses their IP changes from 111.222.333.444 to 111.222.333.555 to 111.222.333.666, etc. This behavior causes the CSRF validation to fail, since the codes are based on $_SERVER['REMOTE_ADDR'] (see EasyCSRF.php function referralHash).

It would be helpful to be able to use a partial user ip from $_SERVER['REMOTE_ADDR'], rather than the whole ip, for these use cases.

CSRF token is generated for every request, makes it unable to verify when multiple tabs are opened.

Deprecated: Array and string offset access syntax with curly braces is deprecated in vendor/gilbitron/easycsrf/src/EasyCSRF.php on line 84

This line uses curly braces to access the array:
$string .= $seed{intval(mt_rand(0.0, $max))};
It should be:
$string .= $seed[intval(mt_rand(0.0, $max))];

Edit: My bad, this is already fixed but not live yet. It is in this pull request:
#4