If the preceding listed controls do not work, there are others that do, which are included in the development tools. Here are some of them:

• Form keys: A key included in each request to a URL; so, if a malicious user sent a repeated key, the application would avoid the attack.
• Hashes: It is possible to add hashes for sessions, methods, keys, and so on.
• View state: .NET has implemented a control and named view state, that tracks the user session, but it includes a specific control to avoid manipulation, and also a hash to protect it.
• Refer: The HTTP requests have a header known as refer. You can use it to prevent requests from unexpected sites. However, do not trust a lot on it—remember that you can modify anything you want from the client side.
• Tokens: The most extended security control to avoid CSRF is the use of tokens. These are usually hashed identifiers that can also include secret data, such as the refer information, to protect the requests.