We apologize for the instability of composr.app and appreciate your patience. We are working on the statistics addon and trying to find an optimal way to store and render data. Unfortunately, we have yet to find a solution that can handle the traffic (and therefore, tens of millions of statistical records) of composr.app. We're working hard on one.
Implemented this, but not quite as described. The security tokens are simply the session IDs. This has the advantage of not breaking the back button as the token can be re-used, having a much simpler implementation (no new DB table, for example), and being more robust. If the session ID was stolen, it is a theoretically weaker solution, but stealing of session IDs is already a major risk in itself and something we specifically guard against.
There is an option for configuring what pages to not use this with, in case external integrations are required that do not have access to the session ID.
There is an option for configuring what pages to not use this with, in case external integrations are required that do not have access to the session ID.