Add a csrf: <boolean> flag to database config to avoid sticky sessions

[rglover]

CSRF stuff is working, but in a load balanced app (as well as in local development w/ HMR), keeping sessions in sync is a pain. Best way to get around sessions going MIA is to put them into the database. Proposal is to just add a csrf: true/false flag to the existing database config (identical to users).

This would ensure that sessions are always in sync between instances (irrespective of scale). Would want to add a conditional to say if the app starts with no databases, disable CSRF protection.

[rglover]

Done. Used the csrf flag in conjunction with a refresh on the client after no interaction for 30 minutes (automatically retrieves a new csrf). That way an open tab/stale session doesn't cause errors when the user comes back after an hour + of inactivity.