CSRF / cookie protection turned on by default

I think that in 2.0 we should enable CSRF token and cookie validation by default, so that the framework is more secure out of the box. We should also make it easier to turn off CSRF validation for certain controllers and actions.

I think it should be like it is, not every application needs this extra security.

I really like this idea! Turning CSRF validation on or off based on what controller or action you use would be neat.

For example, you have CSRF validation turned on for controllers that are used by users, but turned off for Soap requests

by remote applications.

There is absolutely no reason to allow csrf on any site, its better to be secure by default