I need to generate a security token and pass it to an external site in the process of submitting a form, and when they finish processing it and post the data back, I'd like to check the data posted back for the same security token and either allow the script to proceed or kill it upon a mismatch.
I too cannot seem to find a simple answer to this anywhere, though maybe I'm using the wrong keywords in my search. I think I saw somewhere that tokens or replay attack prevention was a feature but now I don't see it.
By default a SilverStripe form includes a security token using the SecurityToken class to generate and check it upon submission. As far as I know the token is saved as a session variable. Might this be the feature you're referring to?
If you were to create a form(type) to use in submitting to an external site, you could still use the SecurityToken class to generate a token and use it to validate the return value - as long as it's an instant response within the current session, I suppose...
Oh! No, what you described is exactly what I was trying to find out. It isn't mentioned anywhere in the basic documentation or tutorials though, which is why I spent all day trying to find how to "create" such a feature.