class Rack::Protection::AuthenticityToken

def valid_token?(session, token)

session token.
Checks the client's masked token to see if it matches the
def valid_token?(session, token)
  return false if token.nil? || token.empty?
  begin
    token = decode_token(token)
  rescue ArgumentError # encoded_masked_token is invalid Base64
    return false
  end
  # See if it's actually a masked token or not. We should be able
  # to handle any unmasked tokens that we've issued without error.
  if unmasked_token?(token)
    compare_with_real_token token, session
  elsif masked_token?(token)
    token = unmask_token(token)
    compare_with_real_token token, session
  else
    false # Token is malformed
  end
end