Fix logic in CSRF logic for checking if the session is active
The phpversion check was backwards. For PHP >= 5.4.0 we should be using session_status() === PHP_SESSION_ACTIVE not < 5.4.0.
But in fact, we only support >= 5.4.0, so this check is now redundant.