David, I am just thinking out loud here, but if there were no AJAX calls, then your original approach would work and if there were only AJAX calls then, as I described, all the requests could be run thru a common xhr object and it could handle the tokens. So what if we used a dual random token approach - using some method to identify which type of token on is ( a range, a prefix, etc.).
-Al
