How is rails CSRF generated token useful?

Question

It seems I am missing something in the CSRF working mechanism, as I understand: If the CSRF token submitted with the form doesn't match the one in the session, the session is destroyed and thus all authentication data is lost and most probably the user wont' be able to complete the desired action.

But can't a hacker read the CSRF token in the form and add it to post requests he generates by some script? I mean I don't understand how does CSRF token thing protect against any thing.

Answer 1

Let's say you want to hack your friends paypal account and make him buy you something.

1. You can make an email that will tell him click on this button to get a free cookie.
2. Your friend being fooled by the email will click the button. If you make this button submit a hidden form inside the email to pay you money.
3. Your friend right now on his pc probably will have his account authenticated by default.
4. If there is not CSRF token, you will now be able to submit the form to buy your self something with your friends paypal.

But given paypal validates CSRF token you will not be able to submit such form.