Recently, I've learned that cookies are sent automatically with every request. And this behaviour makes some websites vulnerable to CSRF. From what I've learned, CSRF can be prevented by using CSRF tokens that are stored in the client's JavaScript or Storage APIs, but NOT in the cookies (to prevent it from being sent too).
My question is, if I would have an authentication cookie and a CSRF token, why not just use tokens instead of cookies? Why not rely only on tokens that are not stored in the cookies?
Can I remove cookie authentication from my application and let the client just send a token in the headers or something like that (maybe X-Authentication-Token).
I think this approach has many advantages, like not having to store and manage two UUIDs on the database, and not having to send the CSRF token in the body. What do you think?