The purpose of By-reference is to swap the original message with surrogate data.

By-reference is often Meaningless But Unique Number or a Universally Unique Identifier that the "Real" data can ONLY be found within a "protected" Data Store

The surrogate data could be referenced to the original message later but typically only by the original system in which created the original reference.

By-reference is in contrast to by-value

By-reference does not contain anything that is related to the original data and therefore, other than Replay attack is considered secure.

A CSRF Token included in a Transport-layer Security Mechanism session SHOULD prevent any replay attack

More Information#

There might be more information for this subject on one of the following: