CSRF Protection for anonymous requests

[gianlucafrei]

Currently csrf protection is only possible for authenticated users. However, if the application handles any kind of session management by itself it would be useful to also have a way to check for csrf attacks even if the user is not authenticated.

-> Create a csrf token before the user is loggen in. -> Change the already present csrf validation to also validate if the user is not yet authenticated

When the user is not yet authenticated we cannot of course not bind the csrf token to the user session. Because of that we should go without this binding and generate a new bounded token when the user is signed in.