What is the purpose of using a session id when csrf protection is already implemented?

Question

I know that to protect web applications from Cross Site Request Forgery, the only secure method is implementing a CSRF token. My question is, isn't it possible to use the CSRF token to track sessions also? Why should we implement a different session id to track the sessions?

Answer 1

A CSRF token is a value that must be generated randomly and associated to a session (a user) in EVERY GET that shows a form to prevent false POST. This false POST comes from the user browser too so, to authenticate the POST, you need a session with the token stored in server memory to compare if the token that comes with the POST is the same that is stored in user session.

Also, web app's shuold need to identify users in a GET and CSRF tokens are only in POST.

Session need to be static to identify user along time and several request due to disconnected nature of HTTP. CSRF changes in every GET, it can not be used like session.

In the other hand. What server should do with your idea? Create a new session every GET and copy all previous session data to the new session? This is crazy.

Take a look to this pdf at Montana State University. It helps me to understand CSRF.