The new Security\Csrf component does not support two particular use cases:

1. Dropping a CSRF token when it was used (for sensitive operations)

if ($tokenGenerator->isCsrfTokenValid('delete_customer', $token)) {
    $tokenGenerator->clearCsrfToken('delete_customer');

    // delete customer...
}

(as a consequence, you can't press "back" and delete another customer with the same token)

2. Generating a once-only token (for very sensitive operations)

// will generate a new token on every call
$token = $tokenGenerator->generateCsrfToken('page_token', true);

(as a consequence, you can never press "back" and redo any action)

Can you give me some feedback on the API names? I think clearCsrfToken() is straight-forward, but I'm not sure about the second parameter to generateCsrfToken() - as alternative, we could add a completely new method (such as generateNewCsrfToken() - can't think of a good name).