I was thinking about this and it appears POST only a little less vulnerable and somewhat harder (do to requiring the user to click something).
I read about token ids and double submitted cookies and i am not sure what the difference is
http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#Disclosure_of_Token_in_URL
http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#Double_Submit_Cookies
Right now i have the user id (PK in my table) and a session id so you cant simply change your cookie ID and act like someone else. Now it seems like i put the session id as a token in each of my forms and check them bc attackers cant guess these tokens. However i dislike the idea of putting the session id into the page for ppl to see. But really, is there a problem with that? short of having the user copy/pasting the html is there any attacks that can happen due to the session id being in plain view in html?
If the user can copy a link with a token in it, this is very insecure. Likewise for the current address: if you use a static session ID, a referral to an outside site or a screenshot will render the session compromised. Even if you don’t have a static session ID, the user can put his mouse over a link and it will show in the bottom of his browser, and then take a screenshot, once again rendering his session compromised.