CSRF cookie vs session based tokens

Storing token in a cookie is not a solution to the CSRF problem. The CSRF vulnerability arises from the fact, that browser automatically sends cookies along with the request. As a result application considers that request as coming from valid (and authenticated) user. The only thing that attacker needs is the exact request that should be send. Introducing random Anti-CSRF token (request specific or session specific) causes it impossible (or just very difficult) to prepare valid request (in general case attacker doesn't know the valid value for anti-csrf token) and such a request will be dropped by server.

If you put your token in a cookie, it will be send to the server automatically, just as session cookie, so you don't get any additional protection from that.

EDIT: I might misunderstood your question. You may be talking about so called double submitted cookies pattern where the same value is sent in hidden field and cookie.

Yes, this approach is acceptable when storing the CSRF token in session is problematic, you can read more about this here: Double Submit Cookies .

Whilst I can't think of any direct attacks on such a system, I would argue that it's not a very good idea to put such tokens on the client side. You're opening yourself up to potential leaks. Storing them in the session makes them impossible to retrieve.