Explain the mechanism by which a CSRF (Cross-Site Request Forgery) token protects against unauthorized requests, detailing how it is generated and validated.

CSRF (Cross-Site Request Forgery) is a type of attack where a malicious website, email, blog, instant message, or program causes a user's web browser to perform an unwanted action on a trusted site when the user is authenticated. A CSRF token is a randomly generated, unique value that is used to protect against these attacks. The mechanism works as follows: 1. Token Generation: When a user authenticates with a website, the server generates a unique CSRF token. This token should be unpredictable and cryptographically secure. The token is typically generated using a cryptographically secure random number generator. 2. Token Transmission: The server then transmits the CSRF token to the client (user's browser) in two ways: a. As a cookie: This cookie is typically marked as `HttpOnly` and `Secure` to prevent client-side JavaScript from accessing it and to ensure it's only transmitted over HTTPS. b. As a hidden field in forms or as a custom HTTP header: The CSRF token is also embedded in the HTML forms that the user will submit, or included as a custom header in AJAX requests. 3. Request Validation: When the user submits a form or makes an AJAX request, the browser sends the CSRF token along with the request. The server then validates the token by: a. Comparing the token in the request (either from the form field or the HTTP header) with the token stored in the user's session (or a similar server-side storage mechanism). b. Ensuring that the token is valid for the current user and has not expired. If the tokens match and are valid, the server processes the request. If the tokens don't match or are invalid, the server rejects the request, preventing the CSRF attack. The CSRF token protects against unauthorized requests because an attacker cannot easily obtain the correct CSRF token for a legitimate user. Even if the attacker tricks the user into visiting a malicious site and submitting a request to the trusted site, the attacker won't be able to include the correct CSRF token in the request, causing the server to reject it. The key is that the attacker cannot access the token stored in the user's cookie (due to the same-origin policy) nor can they predict the randomly generated token, thus preventing them from forging a valid request. Without the CSRF token, an attacker could craft a malicious request that the user's browser would automatically send to the trusted site, potentially performing actions that the user did not intend to authorize. The CSRF token adds a layer of protection by ensuring that the user intended to perform the action associated with the request.