3.x add config for cookie/jwt auth and check for CSRF token