我通过jquery字符串发送Cross站点伪造令牌，但在下一页我生成一个新令牌然后他们的令牌将永远不会匹配

Okay, so I am storing their tokes in a session:

Session::get('token', 'randomtokenstringhere');

On each form, whether it's successful or not I generate a new token, and update their session token, now say for example user 1 is on a update profile page, and I serialize a form, with a token on page load echo the token variable) and they submit the form, which runs an ajax, and either completes or there's an error, my system generate a new token, but now on the edit profile page, they're still using the old token, so now their tokens will never match.

How can I fix this for extra security?

Here's an example of my ajax:

<!-- accept, reject, add and cancel friend requests -->
$('.add_friend').click(function(event) { // bind function to submit event of form
    event.preventDefault();
    $.ajax({
        url: $(this).attr('href'),
        success: function(responseText) {
            if($(event.target).text() == 'Add as friend'){
                $(event.target).attr("href", "<?php echo Config::get('URL'); ?>friends/cancel_request/" + $(event.target).attr('id') + "/<?php echo System::escape(Session::get('token')); ?>");
                $(event.target).text('Cancel Request');
                $(event.target).removeClass("add_friend btn btn-success").addClass("cancel_request btn btn-info");                  
            }else{
                $(event.target).attr("href", "<?php echo Config::get('URL'); ?>friends/addfriend/" + $(event.target).attr('id') + "/<?php echo System::escape(Session::get('token'));?>");
                $(event.target).text('Add as friend');  
                $(event.target).removeClass("cancel_request btn btn-info").addClass("add_friend btn btn-success");                  
            }
        }
    });
    return false;
});
<!-- End Like a status -->

which ofcourse run the following link:

<a class="add_friend btn btn-success" id="<?php echo System::escape($likes->timeline_likes_id); ?>" href="<?php echo Config::get('URL'); ?>friends/addfriend/<?php echo System::escape($likes->user_id).'/'.System::escape(Session::get('token')); ?>"><?php echo System::translate("Add as friend"); ?></a>

Their token is: System::escape(Session::get('token')); ?> which will only load on page refresh which defauts my reason for using ajax