The new strategy still uses the ViewState as the main entity for CSRF protection but also makes use of tokens (which you can generate as GUIDs) so that you can set the ViewStateUserKey to the token rather than the Session ID, and then validate it against the cookie. Depending on the resource youre accessing, youll need a user access token or app access token.The APIs reference content identifies the type of access token youll need. Without the CSRF token, there is no way we can verify. It includes codes from IETF Request for Comments (RFCs), other specifications, and some additional codes used in some common applications of the HTTP. Twitch APIs require access tokens to access resources. I keep the access token in cache (a variable in my app), and once expired or lost due to a reload, i use the refresh token to obtain a new access token. This way, the template will render a hidden element with the value set to the CSRF token. SignalR prevents CSRF by making it extremely unlikely for a malicious site to create a valid request for your SignalR application. The best way to mitigate the timeout is by using JavaScript to request a CSRF token on form submission. The system falls apart. It can be easily bypassed using the DOM, for example by creating a hidden