So, I've never done any web penetration testing and consequently don't know enough about web-security. However I do know about UX and am struggling to create a nice user experience when csrf tokens are re-gerneated each request.
When a user has multiple tabs open and is working in both of them, the security tokens will be invalid when switching. How could you get around this? Also, what do you do when a user hits reload on a form? Do you throw exception or redirect to the form page and re-populate the fields?