This article shortly explains what CSRF is and what Formular does to protect your application from it.
CSRF is an attack designed to compromise the data of your web application. This is done by getting a known and authenticated user of your application, to click on a link, to fill out a form a web page or something else which further allows the attacker to identify themselves as said user and add/remove or modify data via the web interface of your application.
See also
Wikipedia on a more information and examples about the topic.
So we create a token which is send as part of the form to the user and is stored in the session of the given user. This session can be stored on the server or in a cookie, that doesn’t really matter. Once we get the form back we check for the token and check if we can find it in the session of the authenticated user. If the user who requested the form and sent it back is the authenticated user everything is ok, if he isn’t we might have an csrf attack. To make sure nothing goes wrong we have to make sure to remove the token from the session once the form was sent to the server.
Formular takes care of all this for you, you only have to provide the path to form and a session object upon instantiation of a form.
Formular uses a string of 10 random bytes, the quality of the token depends on platform but it’s ensured to be suitable for cryptographic use.