While reading through an article titled 'Take Advantage of ASP.NET Built-in Features to Fend Off Web Attacks' on MSDN recently, I came across a new property for the Page class I'd never noticed before: ViewStateUserKey. The documentation for this property states:
Assigns an identifier to an individual user in the view state variable associated with the current page
It turns out what this can be used for is to add a user specific string to the ViewState of a Page which can be verified on PostBack. Why? This means you can be sure that any form information submitted came from the same user who requested the original page, thus preventing one-click attacks.
I highly recommend you read the article above for more information, and for techniques to prevent other common attacks...