Extending the previous commit, this adds CSRF to a number of high-value target
pages, including user password changing, dleetion, lockout, etc, and also for
the login page (to avoid a class of attack we probably don't care about).

The CSRF mechanism requires manual addition to each form, but has been
design reviewed by Simon Waters (Surevine Ltd).