It seems I am missing something in the CSRF working mechanism, as I understand: If the CSRF token submitted with the form doesn't match the one in the session, the session is destroyed and thus all authentication data is lost and most probably the user wont' be able to complete the desired action.
But can't a hacker read the CSRF token in the form and add it to post requests he generates by some script? I mean I don't understand how does CSRF token thing protect against any thing.
Let's say you want to hack your friends paypal account and make him buy you something.
But given paypal validates CSRF token you will not be able to submit such form.