"request forgery token".. by it's name and very nature, it is attempting to protect "each request" against forgery.. having one long-lived (like a session id?) would be completely useless for this.You can use the CSRF token in your custom code, just like this: (assuming you've included osticket)<form ... ><my inputs etc><?php // load the CSRF token from osticket csrf_token ();<?</form>Alternately, if you want it in a variable: ob_start (); csrf_token (); $token = ob_get_clean ();However, there are different ones for staff and a CSRF token is only required for POST data, so, if your form requirements are simple enough, just GET them. :-)