Some developers include a cookie with a value to validate that the request received by the application comes from a valid place. However, remember that the main problem with the cookies is that they are always stored in the client side, so it's possible to get them just by submitting a request using the web browser. These cookies work more as a session identifier than an anti-CSRF token; they are just like adding two session IDs.