10:
This should have a CSRF token

20:
Only checks if the length of the CSRF token is correct

30:
The CSRF token is the userID

40: 
Only checks that the token is not empty 

50: 
The system only checks if what you submitted is part of the CSRF token. 
This means that if you only submit "1" you have a good chance of randomly guessing a possible token.