When checking csrf token, why only check the csrf token in the form, or only check the X-CSRFToken in the request header, but not the csrf_token in the cookie? Does checking
