On my website, I put a hidden field in with a randomised value, and I also store that value in the Session at the same time. When the form is submitted, I ensure that the submitted value matches the session value.
Is this sufficient for CSRF protection? Anyone hacking a website to force a user to unknowingly POST to my website will have no idea what the CSRF token is that I generated, and so their attack will fail. The only way to get that token is to do a GET request to the server, and extract the cookie out and post it.
Is that possible? Or in other words, do you have to include a cookie as part of the protection against CSRF? I've not seen it mentioned here: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#Disclosure_of_Token_in_URL
except for the 'double submitting cookies' part.
Yes that is sufficient for CSRF protection. For maximum protection, make sure the hidden, randomized value (the CSRF token) changes every time a request is made.
Cookies are typically recommended because they are easy to use and most web frameworks have a built-in convenient way of utilizing them.