o restructure session open/close for better visibility
o remove potentially insecure "try again" button
o remove override for switching csrf off (defer)