Remove csrf keys used with get The original code didn't delete keys used with a get. Detect this and invalidate the keys. Get keys are more likely to leak (in urls etc.) so they have to be removed once used. Also a little code cleanup and added testing.