This is why you check for tokens in the form that correspond to the current user's session. Rails does this for you automatically.