David, I am trying to think of the effect this will have as applications have more and more AJAX calls. It seems like it would come down to implementing a central object for processing such requests and the developer would not need to worry about it, but then a mix of page requests and ajax calls would be a problem. I guess it would just mean that every page that is loaded would update the central ajax processing object with its token.
But then, a lot of times, there are asynchronous ajax requests going on that would make it impossible to keep a single token going. But, generally, you would only have one secure ajax request active at a time. Did you say this would only be for secure requests? Maybe allowing a rolling list of the last x tokens would help in the ajax environment when you want to allow concurrent secure requests. Varying the size of "x" would make the system more or less secure, right? In short, with more and more apps trying to emulate a desktop environment, this will be more of a problem, but on the other hand, such a client-side framework could take care of most of the work in making this happen. -Al
