I found these couple lines of code on the internet and the goal is to prevent CSRF using a one-time token. Since the hidden value can be easily read from the source code, i am trying to figure out what makes this code prevent cross site request forgeries? any idea?
**form.php**
<?php
$token = md5(uniqid(rand(), TRUE));
$_SESSION['token'] = $token;
?>
<form action="process.php" method="post">
<input type="hidden" name="token" value="<?php echo $token; ?>" />
<p>
Symbol: <input type="text" name="symbol" /><br />
Shares: <input type="text" name="shares" /><br />
<input type="submit" value="Buy" />
</p>
</form>
**process.php**
<?php
if ($_POST['token'] == $_SESSION['token'])
{
/* Valid Token */
}
?>