fix: don't update session on GET with token already set

[chrispatmore]

Motivation:

The updated CSRF handler would attempt to set the token into the session even when a new one was
not generated, this opened a timing issue where a GET request that started during / before a POST
but ended after would revert the changed token, leaving the user stuck

Contributes To: #2447

[chrispatmore]

Sorry @pmlopes @vietj tried to pull down my fix to #2447 early to try it out in our actual scenario and discovered a bug. Hopefully clear what it was from above. fixed it on my end, contributing it back now

[chrispatmore]

Not sure why those tests are failing, seems completely unrelated to me

[tsegismont]

@chrispatmore I've restarted the jobs

[chrispatmore]

Still not sure about the failure @tsegismont ?
FYI i have tagged this to the closed issue, do you want me to raise a new issue for this fix (I didn't initially, because its not released yet)

[tsegismont]

LGTM, thank you @chrispatmore

[tsegismont]

@chrispatmore #2447 has milestone is 4.5.0 but the PR which fixed has milestone 5.0.0.

Has the fix been backported to the 4.x branch?

[vietj]

@chrispatmore can you provide the same PR for the 4.x branch ?

[chrispatmore]

Sure I can do that.

Edit: The 4.x branch is a reasonable amount further behind than I was expecting, I assume you don't want me to pull in things from other changes as much as possible?

[chrispatmore]

@vietj does this meet your expectation: #2500

[tsegismont]

Edit: The 4.x branch is a reasonable amount further behind than I was expecting, I assume you don't want me to pull in things from other changes as much as possible?

Right