03 - CSRF where token validation depends on token being present