Problem/Motivation
Any route using the _csrf_token requirement doesn't work for users without session because the CSRF checker fails as the CSRF seed is not stored anywhere.
Proposed resolution
Only add a CSRF token if a session is started.
Remaining tasks
User interface changes
Flag supports anonymous users (and there was much rejoicing).
API changes
CsrfAccessCheck constructor requires a new argument but it's a service so noone should be constructing it anyways.
Data model changes
None.