How to counter Cross Site Request Forgery?


We would like to create a unique string when a user logs in and pass the
string between actions. Each user can compare the incoming string with
the one stored in the session to assert whether the request is coming
from within the application or from a malicious external source.

What mechanism can we use to pass this string around?
Passing as params to the actions ,may not be an option as it can be seen
in the URL.