DWR is using DWRSessionID token for CSRF protection and it is not changing for each user session means logout from application is not changing the DWRSessionID and we will see same DWRSessionID by logging again without closing the browser.
This could be an issue (CSRF) if somebody steal the DWRSessionID and trying to send the links via email it will process the link if user is logged in again tinto the application as DWR is using the same DWRSessionID per browser instance instead of user session.
Is the above really an issue for CSRF or it is ok to have same DWRSessionID per browser instance instead of per user session.