Cross-Site Request Forgery (CSRF) protection
CSRF protection is against the form elements such as in user registration or adding comments are vulnerable to this attack. CSRF is created to prevent the form values from being sent outside our application. To fix this, we generate a random nonce (token) in each form.
We add the token in the session and then validate the token. By comparing the form posts data back to the application to the stored token in the session with the one submitted by the form.
Then in the controller's action you can check if the CSRF token is valid: