Will this idea work? It seems pretty stupid, because my app is simply checking that the browser sent two copies of the same information (ie the session key).
Also, remembering to make this check sounds very tedious. Do web frameworks such as Rails and CakePHP have things that make it easier to write XSRF-proof web apps?
Assuming that the session key is not leaked (which could happen if your PHP is poorly configured and uses session.use_trans_sid) and you are not vulnerable to session fixation attacks, yes, this is secure. This is because a request forger cannot read your cookies, and thus does not know what the correct value is.
You may be interested in CSRF Magic, which claims to allow you to protect your application by including a single file.