CSRF ONLY work at HttpSession level

Hi, experts

Through my experiment at WebMethods DEV integration server, when I turned ON csfr, CSRF only works at current session.

If I refreshes dap page or log in new session, CSRF function goes off ( I can access dsp page)

In conclusion, CSRF works ONLY inside HTTP session

please let me know how to solve this issue

Thanks

Leon