Abstract: An improved method for preventing XSRF attack on a web site, which has a URL and is accessible from a port on a server. This invention: determines whether a requestor is legitimate; generates a session token for each session on the web site requested by the legitimate requestor; embeds the session token in a session cookie; additionally generates a security token; embeds the security token in the original request URL; and redirects the web site request to the newly formed URL. The subsequent request of the URL containing the security token allows the server to verify the token and serve the web site to the legitimate requestor. In other words the server's web site for that user for that session is: port/security token/URL/ form data.