PDP of Gnucitizen fame has posted a very simple defence against CSRF attacks that avoid the complexity of generating additional session management code/tokens. If you're a web developer, do it, do it now. Given that most developers don't know about CSRF, I'm sure there isn't much hope for this. Ideally, PHP and ASP .Net need to build this kind of thing into their session management routines.
Tracked: Nov 26, 23:52