I worked on an legacy application that did this as a stop-gap as CSRF tokens were being implemented and it just kept both approaches.