my previous algorithm for my CSRF token is using password_hash(), and this is multi-tab and cross-tab friendly. My only problem is that, when I start profiling my codes using kCacheGrind, this function is eating most of the time which is Incl. = 87.1 & Self = 87.11, I am not an expert in profiling but KCacheGrind said that I should focus with a high Self time. So I searched here, I saw ThiefMaster's answer and said that;
You could simply use a token which is persistent for the current session or even the user (e.g. a hash of the hash of the user's password) and cannot be determined by a third party (using a hash of the user's IP is bad for example).
Then you don't have to store possibly tons of generated tokens and unless the session expires (which would probably require the user to login again anyway) the user can use as many tabs as he wants.
Is using a persistent CSRF token safe/secure?
what do I need to do to make a persistent CSRF token safe/secure?