I’ve been validating my CSRF tokens by comparing the session value and the request headers(CSRF included) instead of the token in POST. I found them unnecessary anymore so I decided to remove them anyway. I’ve been finding the function where the hidden fields are being generated so that I can override it.
Thanks in advance.
You normally don’t handle that yourself: http://www.yiiframework.com/doc/guide/1.1/en/topics.security#cross-site-request-forgery-prevention
Any particular reason why you’ve been doing that work yourself?
Regardless, you can find the code in CHttpRequest
And the form uses it here:
https://github.com/yiisoft/yii/blob/1.1.13/framework/web/helpers/CHtml.php#L319
Just a small hint:
If I could figure that out by going to the Yii definitive guide and navigate from there to the API docs, so can you. 
Thanks jacmoe!