I have added following code to my login form
$csrf = $this->createElement('hash', 'csrf', array('salt' => 'unique'));
And in controller action i have
if (!$admin_login_form->isValid($_POST)) {
//Throw Error
}else{
// Redirect to index
}
Now Question is that does Zend handle hash code checking automatically or do we have to code something manually to verify it?
The answer is no. You don't have to do anything to check wether the hash is valid or not.
When you create a Zend_Form_Element_Hash element, it automatically adds a validator (using Zend_Validate_Identical) to your form and register your hash into a new namespace session.
Afterwards, once you call isValid() method, if the CSRF stored in the session when the page was rendered is not the same than the one sent in the last request, the Identical validator will fail and return an error.
Edit: Additionally, you can add a salt to your element and a hash will be generate according to the following encryption: md5(mt_rand(1,1000000) . $this->getSalt() . $this->getName() . mt_rand(1,1000000).
To answer your second question in your comment, two elements won't cause any session conflicts since the namespace used to store the hash is define by three criteria:
For example, your element would probably be stored under this namespace: "Zend_Form_Element_Hash_unique_ hash" where "unique" is the salt value and hash you element name.