Problem this snippet solves:
The token given to the client is created by encrypting a secret (stored in $::secret) with AES using a key (stored in $::key) that changes every $::session_timeout seconds (default 600, i.e. 10 minutes). The token changes regularly to make it harder for attackers to defeat the protection mechanism (i.e. this prevents the attacker from simply recording a single valid token and reusing it forever).