CSRF requires cookies. In fact sessions require cookies too.
I suppose you could do it without cookies although that seems very complicated. You would have to pass a session identifier and a csrf token in all your urls, which seems a bit of a nightmare to me.
I would be interested in alternative answers to this too, and is a great question IMHO. If a user has cookies disabled in their browser, then none of my sites would work. I had not considered this before.
Even detecting that is a pain. You would need to attempt to set a cookie, then redirect to another page, and then see if the cookie was set or not for that page, and if not, set an alert of some description.
It might be easier to have a js test to see if cookies are enabled and display a message if not. But then you would have to test to see if JS was enabled or not too.
I have never had any issues related to any of this, so I assume switching off js or cookies is very rare. I would also guess that anyone that did would be used to sites not working properly because of this in general, but I think a more satisfactory answer must be out there.
Best wishes,
Paul
