> There is no reason why a session can only be created
> after login.
You're right, I didn't type carefully above – I mean that a session cookie can only be used to identify the current user of the website with an existing customer once the user has authenticated with the customer's credentials.
In your second scenario, while of course you could store a random value in a "CSRF cookie" on every page load, of what use could it be if you don't also store the "last CSRF cookie value" somewhere on the server and compare against that on new requests?
In your second scenario, while of course you could store a random value in a "CSRF cookie" on every page load, of what use could it be if you don't also store the "last CSRF cookie value" somewhere on the server and compare against that on new requests?