There are some basic defense strategies for preventing cross-site request forgery.
Dynamic security token
The most common solution is to generate and store a dynamic security token on the server and include it on every page that generates a request. The token submitted by the page is compared to the token stored on the server. If the tokens match, the request is executed. If not, the request is rejected and an error message is displayed. This token provides the piece of information that an attacker cannot guess, since it changes with every request or every session. Tokens are most often stored in a hidden form field. That option works if the token is generated per session, per page, or per form. It is then automatically passed to the server with each request.
A challenge-response test that requires the user to “prove they are human,” usually by identifying a series of letters or numbers that have been visually altered to make them unreadable to a computer.
Having your user re-enter their user name and password again.
Requiring your user to enter a PIN number