CheckAuthenticity checks the authenticity token in params against cookie - The masked token is inserted into forms and POSTS by js.

CurrentUser returns the saved user (or an empty anon user) for the current session cookie.

Middleware sets a token on every GET request so that it can be inserted into the view.