I have read https://habrahabr.ru/post/235247/
and other articles on the resources smaller.
Now I have cookies placed on 1 hour in addition to the name cookie, nothing is stored in session are stored the email id and the session itself is not stored anywhere (except for temp servers of course).
If I understand correctly then:
1. The user is authenticated, authorization generis him a token and put in session
2. In any form have a hidden field which is populated token without the knowledge of user data from session
3. But during the reception form data from the form came a token must somehow compare to the original, otherwise you can send any and all this bessmyslenno. It turns out that would have been original to in paragraph 1 token should be written not only during the session but in the database from which for each scan to extract for comparison.
And to update it in the database at each login...
4. Get-requests a token cannot be protected
All so or I missed something?