Question is not specific to PHP only, it is generic for Web development, language will not matter.

PHP has session tokens through which server will identify the session id of a specific user, (this is similar to many other languages). These tokens can be sent via cookies or via embedding in urls. In terms CSRF attacks, urls one are much better but these also expose many other security issues as token is embedded automatically (if you did not change your ini settings) to urls.

In sum, I would like to mention that it depends on the architecture you are using to authenticate the requests sent by your browser.

Token are necessary to identify a requests, and best thing about such token is that you can build your security logic around them yourself.

For example, many applications use Oauth to verify subsequent requests from users. In oauth, generating a short lived token and and sending it to server is the responsibility of your code (… or your programmer) instead of your browser.

… and in one line : as HTTP is stateless protocol, tokens are necessary to authenticate subsequent request from browser.