I think I found a security weakness. If the packet is generated cross script, and no csrf is provided as a parameter then it may pass the check as there will be no session variable either, and "" === "".
So a > "" check needs to be done against both the parameter and the session variable.
Should I be using a session variable for this? I would think I need a super global in this instance, but am willing to be corrected!