I am learning about how to prevent CSRF using anti-CSRF tokens. Essentially, the idea is to:-

1) generate a token eg Md5 or Sha1 then store this value in a session variable:-

$token = md5(uniqid(rand(), TRUE));
$_SESSION['token'] = $token;

2) All forms include this token value in a POST hidden field

<input type='hidden' name='token' value='$nonce_token' />

Eg what it would look like to user in source code:-

<input type='hidden' name='token' value='9ee66e4e63a06ee4b83a3edde4ecd587' />

3) Once form sent check POST hidden field token value matches token stored in session value

if($_POST['token']==$_SESSION['token']){...ok...}

However, this process seems a little flawed since by including the token value in a hidden POST field an attack can simply just look at the website source code to see the token and then just include this in a malicious generated POST form which my application would thus succeed once received as token value sent would match the token value in my session variable, since I essentially show the token value in my hidden field to the attacker.

Thus, my question is what is the best way around this, as a few ideas I had still seem little flawed:-

1) Using _GET instead but this still has flaws like _POST

2) Changing the token value after x minutes or each request but causes usability issues when going back in browser or fail when user filling in form and token value would become outdated compared to updated session token value as hidden token value would not have updated whilst user filling in a form.

3) Try encrypting hidden POST form token value then decrypting on sending POST but encrypting/decrypting an already hashed value seems complicated especially one way encrypted has values like MD5 etc?

Any ideas would be much appreciated.