Cross Site Request Forgery (CSRF) and other types of fraudulent submission in an electronic environment can be mitigated using state information that typically is already maintained for various users. Each submission requiring authentication includes a state identifier (ID). The state ID is compared to corresponding a state ID submitted in a relatively secure format, such as in a secure token or cookie. If the state ID matches a state ID in the secure token received from the user, and the state ID is valid, the submission is processed. Otherwise an interstitial page, including the state ID and a secure token, is generated to prompt the user to confirm the submission. A subsequent confirmation submission will contain the proper state ID and the new cookie, and can be processed. If no confirmation is received from the user with a valid state ID, the submission is not processed.