You may be thinking of CSRF mitigations. XSS exploits are more dangerous and can do more than steal sessions.