Great post, one point though, I’ve seen a fair number of people over-react to CSRF and implement a solution that breaks the back button or using the site from multiple tabs.
You mention that you:
to generate (and track, with timeout) a unique random key for every single HTML FORM you send down to the client.
I think it would help to explain how you verify that the token is correct. The naive solution where the most recently generated token is the only valid token breaks the back button (since it has a form with a previous token) and also tabbed browsing.
Also, what does generating a fresh token with each request gain for you? If you suspect an attacker can grab the token when they see the request why would the attacker not just grab your cookie so they can take complete controller over your session.
Understanding how the addition token add secure is important since developers are currently rolling their own solution.
Twitter for many months had their own solution that broke the back button and tabbed browsing. They claimed changing the only valid token with each request made the system more secure, but in reality it broke the browsing experience with no added security.