CSFR Protection should be an important part of the security stragety on all modern webpages. The downside is, that it might break your site, if the user does not want you to set any cookies. If you do not explain this, he will get a (maybe cryptic) warning message. But you can have both. Simply add this to your config/main.php
'request'=>array(
'enableCookieValidation'=> true,
'enableCsrfValidation' => !empty($_COOKIE), // <- This does the trick!
'csrfTokenName' => 'csfr',
),
Be sure to add a cookie (maybe a simple test cookie) as soon as possible on all pages. As long as there are no cookies found by Yii the csfr validation stays disabled.