Will need to make special considerations for http_requests.

If we REALLY wanted to go hardcore, we could also make it so the cookie is a different token from what is put on the forms. Both are stored with the user session. And both need to be validated accordingly and matched correctly server-side to pass. That way, if the token is stolen from one method, it still won't work. Maybe this could be a config option, and enabled only with the "high/extreme" security profiles by the Setup Wizard.

This might not work for AJAX requests because they need a way to get a CSRF token. They do this through a secondary AJAX request getting a token, but this method will prevent being able to set an HttpOnly CSRF cookie for additional validation.

Actually OWASP does not recommend transmitting the token as a cookie for the sync token CSRF method in stateful apps (which Composr is stateful).

Closing.