Attacks from remote sites can be stopped reliably with the referer heading. I put a feature into sudo that requires refer host to a page must match the host you logged in on. Unfortunatly this causes a usablity problem, you cannot just type http:://myhost/acs-admin because the referer heading is null and you get a policy voilation. This could be solved with a page a links to various admin pages. This could be generated as part of the sudo package.