Barry Dorrans created a filter for CSRF protection in ASP.NET. It’s inspired by the ASP.NET MVC CSRF token approach. It’s a simple and effective protection mechanism when you can’t use the ViewStateUserKey because you’ve disabled ViewState. It doesn’t rely on sessions either. Now if I could only get him to support GET requests on an opt-in basis! Check out his blog post and the code on Codeplex.