There may need to be some tweaking to allow for near-simultaneous requests both of which are legitimate. I addressed it by comparing the request token presented in the cookie with not just "last-issued" token but also "second-last issued token", and imposed a limitation that the time-difference between the two must be no more than 3 seconds – otherwise the 2 requests are not deemed near-simultaneous and the server kills the session under the suspicion that legitimate requests are accompanied by malicious requests.