Demonstration of why you should definitely not do what is suggested for CSRF protection + caching here: http://broadcastingadam.com/2011/05/advanced_caching_in_rails
The article was updated recently, and after some discussion with Adam it is now showing a proper, safer way to do this: http://www.broadcastingadam.com/2012/07/advanced_caching_part_7-tips_and_tricks/
To run, use pow and create http://hacker-app.dev and http://test-app.dev
Go to http://hacker-app.dev and try the buttons.