Cross-site request forgery (XSRF or CSRF) is an attack which lets an attacker trigger requests in
your browser to a sensitive site you're already logged in to.
For example, you're already logged into example.com and an attacker causes your browser to make a
POST request to example.com/changepassword. Once logged in to example.com, your browser
authenticates you by sending a session cookie. The cookie is sent with every request to
example.com which enables the attack.
To prevent this vulnerability, you must ensure a sensitive request came from a page/location on
your domain. For typical sites, secret values are embedded in forms, which is not implemented
here. For sites that respond to AJAX (XHR) requests, it is sufficient to check a special header
value, in this case X-XSRF-TOKEN is used.
Merely checking the existence of the header is often sufficient as origins cannot set header
values for other origins. However, there have been exceptions which warrant an unpredictable
value for the header. // TODO(justin): Include a link on flash vulns.
This class generates a hash of a supplied session token. It encapsulates information about
hashing and the appropriate cookie and header values.