CSRF prevention

closes #475 (closed)

What does this MR do?

• adds basic methods for storing & validating CSRF-Tokens
• CSRF-Header mandatory for xhrapp.php except non-loggedin
• CSRF-Header mandatory for xhr.php except non-loggedin
• CSRF-Header mandatory for /api/ except non-loggedin

What is does not

enable CSRF for following (but will hopefully be added soon in a next MR)

• xhr.php?f=bBubble
• xhr.php?f=uploadPicture
• xhr.php?f=pictureCrop
• xhr.php?f=getRecip
• xhr.php?f=addPhoto
• xhr.php?f=uploadPhoto
• xhrapp.php?app=login&m=photoupload
• xhrapp.php?app=login&m=joinsubmit
• xhrapp.php?app=login&m=join
• xhrapp.php?app=mailbox&m=attach
• xhrapp.php?app=mailbox&m=quickreply
• xhrapp.php?app=mailbox&m=fmail
• xhrapp.php?app=main&m=picupload
• xhrapp.php?app=bezirk&m=quickreply
• xhrapp.php?app=wallpost&m=quickreply
• xhrapp.php?app=wallpost&m=attachimage

How confident are you it won't break things if deployed?

mostly

Links to related issues

Checklist

• added a test, or explain why one is not needed/possible...
• no unrelated changes
• asked someone for a code review
• joined #foodsharing-beta channel at https://slackin.yunity.org
• added an entry to CHANGELOG.md (description, merge request link, username(s))