cgisecurity.net - Cross Site Request Forgery (CSRF/XSRF) questions and answers:

"What can I do to protect my own applications?

Setting a short time peroid for user sessions is essential. Sites requiring the user to be logged in before performing an action can set the users session to a short session period (say 5 minutes) to reduce the odds of a sucessfull CSRF attack. In conjunction with this prompt the user with a login page or strong CAPTCHA each time an important site action is performed.

[...] A popular suggestion to preventing CSRF involves appending session tokens to each request. This method is documented in multiple documents however as pointed out in mailing list postings an attacker can utilize an existing browser vulnerability or XSS flaw to grab this session token. Assuming that your browser is patched and free from all vulnerabilities including through plugin's such as Flash/Acrobat all the time (keep dreaming), and that your website is free from all types of XSS, then the token method may be considered a suitable solution."