add session id to CSRF

@jamie I have doubts about this - as it's coming from an AJAX call I think it will not match the user session?

An AJAX call should be coming from the browser just like any other call and should therefore match the session id of the user (and it seems to work during my testing). In addition, as I understand it, a CSRF token must match the session id to be effective as a CSRF token (see https://portswigger.net/web-security/csrf#csrf-token-is-not-tied-to-the-user-session).

mentioned in commit e1bfd3a6

merged

I'm having some second thoughts about this one. I think I was wrong - two AJAX calls, even if from the same browser, apparently don't result in the same session ID. I've modified remoteform so that the CSRF token comes back along with the session id that generated it so the next call can include that session id. It kinda defeats the purpose of including the session id.

I'm not entirely sure what this means - I do think that technically a CSRF token must include the session id or it won't properly work as a CSRF token. On the other hand, I don't think submitting credit card payment necessarily needs a proper CSRF token. I suppose you could trick someone's browser into submitting a string of stolen cards so it's their IP that gets banned. But, that's not really an effectve CSRF attack.