https://stevenroland.com/posts/implementing-single-use-tokens-with-php-sessions