I have been reading up on CSRF/XSRF a bit and a lot of it seems to talk about cookies as they can be involved in logging the user back in automatically.
So I was just wondering if your site doesn't use cookies, do you still need to worry about using it or do you need to worry about using it on public accessible forms?
I assume you still do as the user could already be logged in within the browser and then they could be exposed to it.
As for public forms, obviously the only reason you would want protection on these is if you didn't want remote sites posting to them correct!?
Cross-Site-Request-Forgery, CSRF, isn't an attack directed to cookie-implementing sites, it's an attack that involves the ability to cause a user's browser visiting site A to invoke an action on site B - normally one in which they have to log in to access, but it isn't necessary.
For instance, assume you have a simple "Contact Us" form on Site B. This form is publicly accessible and requires no user-login. If Site A can submit this form from a client's browser via javascript (or Flash, etc.) - then this would be considered CSRF as the "Contact Us" form will appear to have originated from the end-user who never actually visited Site B.
Now, this attack is far more dangerous when actions are more complex than a simple "Contact Us" form, say, "Transfer money from account X to account Y". These actions generally require a user to be logged in to the site, which also normally use a cookie of some form (Session IDs are sent back and forth from the browser to the server as cookies). Without CSRF protection (such as tokens), the "Transfer" action could be performed as long as the user has an actively opened session. If, however, the site actually saves a cookie to allow a "Remember Me" function where the user doesn't need to submit their credentials each time, the CSRF should be able to submit without the user having an active session as well.