The question really comes down to what you want to achieve. If you want to combat CSRF attacks, a secret token in addition to the session key is your way. However, changing the marker in each request will cause problems - not only the back button will be disabled, but since one web page usually contains a lot of asynchronous and parallel loaded data (images, css, javascript, etc.), your the approach will not include additional data for subsequent loading, since each additional request will change the required token, thereby killing the session.
You can get around this by inserting all the resources on the page through BASE64 and other tricks, but this will seriously hinder your capabilities and may have compatibility issues with some browsers.
So, ultimately, your approach will not add a lot of security, but it is likely to create a number of potential problems for your customers. I stick with one secret token per session in the anti-CSRF URL and concentrate on protecting against other XSS attacks and user-friendly security measures, such as two-factor authentication using a smartphone or something similar. In the end, the user is the # 1 attack vector at the moment.
Update (2012-06-14)
The token will not fight against XSS attacks, but it will be protected from basic CSRF attacks (for example, by implanting a dummy URL in the image). I really had a situation at work today, where I needed to receive a request for a modification from the user, and processed some code . The code can also be used to protect static, session-timeout form - and link -tokens (correctly your problem).
The idea is to have a secret server that is used to create a hash / AuthToken over data for protection. If the rogue jug code tries to change any of the data data, AuthToken will not match. In my specific problem, I have one server that authenticates the user and must send its information to a third party (username, email address, name, etc.). This GET request can be easily changed by any user after authentication, so I have to authenticate the GET Request parameters. By rebooting the AuthenticationToken-Process, a third party can compare the received AuthTokens, thus checking the incoming data. Without shared secrecy, it is (almost) impossible to fake data.
According to your problem: the presence of a static token in GET and POST requests (or dynamic, for example, my project) will protect you from simple CSRF attacks through, for example, links on forums that the user must click to attack. Since the link will never contain the correct token, your web page will be safe. However, if an attacker manages to download javascript to a web page via XSS, you will be screwed, and no technique in the world will help against it, since javascript can scan the entire DOM tree of the page to find the capture of any tokens of any kind.
So, it comes down to the following:
- use tokens in GET and POST requests to combat CSRF
- protect your page from XSS injection