Cookie + request parameter
A useful trick is to use a random-id cookie, and have javascript add a copy of the cookie value to the page submission as a form field or GET url parameter. Then have the server reject the request if either the cookie or form field is missing, or they do not match.
This blocks a lot of CSRF attacks, because although the browser will happily include your server's cookie for requests sent to your server from a page on another domain, javascript on that page cannot access the cookie for your domain due to the same origin policy, hence it cannot set the extra form field.
Biting the hand that feeds IT
