Just fun and interesting stuff...
The test team could not find any XSRF bugs in code that was based on ASP.NET MVC; the base controller eliminated the possibility that developers could make this error.
Preventing Security Development Errors: Lessons Learned at Windows Live by Using ASP.NET MVC