Ok let me try to explain a bit.
With the right techniques, if you would be logged in (or have been logged in before in the same browser session) as admin of your website, and you visit another website (or open an email message) with a specially crafted image/script, they could create a new admin user on the fly. Just by visiting a website or reading a mail.
To prevent this, any form (ie user creation/modification, or just page editing) should test if the request to modify the page/user was coming from the authenticated user.
So, now any request to open a form will add a random code (token) that is only valid until the form is saved or the next code is generated.
So by opening a second form in a new tab, the first token is not valid anymore.
More importantly, if a third party creates the form-data to post, there will be no valid token in the data, and the data is rejected.
this site has a good explanation.