I need to add CSRF protection to an existing site and I'm referring to http://phpmaster.com/preventing-cross-site-request-forgeries/ as a guide on how to prevent CSRF.
In the link, it is suggested that we use $_SESSION as a way of storing the token. I'd like to know if using $_COOKIE is just as safe. Are there any drawbacks of using $_COOKIE over $_SESSION?
EDIT: Any idea if using a $_COOKIE instead of $_SESSION is PCI Compliant?
In the vast majority of cases the PHP session identifiers are transferred through cookies as well (session cookies).
If this is also true for your site -- which it almost certainly is -- then consider what happens if an attacker gains access to your cookies (e.g. through XSS): they don't have any need for CSRF because they can simply hijack the session and enter through the front door. Conclusion: there is no additional security risk if you store the CSRF token in a cookie.
A minor drawback for using an additional CSRF cookie is that it will increase the volume of incoming HTTP traffic by a tiny bit, but that's really just a theoretical difference.