Typical anti-csrf (captcha) check looks like that: $_SESSION['csrf_token'] == $_POST['csrf_token']. What’s wrong with this code? If attacker sends POST request directly with empty csrf_token, then it will meet this condition and pass this check easily. So simply remember to verify if value is not-empty, and only then apply actual check.