I found this article interesting; the technique employed in the article should be applicable to xajax enabled pages as well...

http://www.codewalkers.com/c/a/Miscella … lications/

I'm tossing around the idea of a plugin that would provide support for this automatically:

1)  a response plugin that will:
--- a)  generate a token
--- b)  update the session
--- c)  send the token to the browser
2)  a javascript component to:
--- a)  intercept outgoing xajax requests
--- b)  add the current token to the request

I see a potential problem... if the response is not received (dropped packet), the server and client will be out of sync.  So, perhaps the session should store the last three (settable option) tokens and allow the client to send a prior token.

// Joe