How to prevent a Cross-Site Request Forgery (XSRF/CSRF) attack using URL rewriting?

Question

A CSRF/XSRF can be prevented using a number of techniques.

One of the technique is to use a token unique to the client session with every request being sent by the client to the server; which is being validated on the server side. If the request token and the token on the server side matches, the request is allowed to enter the application and if it does not it is not allowed to enter. Thus a CSRF attack would be detected.

Though this idea behind the technique is very clear to me, I am not sure about how URL rewriting could help prevent a CSRF attack? Can security gurus throw some light on this?

Answer 1

Here is a brief story that talks about URL rewriting. It says:

We could mitigate much of the risk of these vulnerabilities by frequently changing our URLs — not once every 200 years but once every 10 minutes. Attackers would no longer be able to exploit application vulnerabilities by mass e-mailing poisoned hyperlinks because the links would be broken and invalid by the time the messages reached their intended victims.

Which I guess (and the article agrees) is one facet of a total approach to preventing this issue from happening. Microsoft also has a good article that talks about this.