:sig
bool csrf_valid(String submitted_token, String session_name = "uce-session", String token_name = "csrf_token")

:params
submitted_token : value received from the request, usually `context.post["csrf_token"]`
session_name : session/cookie name used by `csrf_token()`
token_name : form/action token namespace used by `csrf_token()`
return value : `true` when the submitted token matches the session token

:content
Starts the named session if needed and checks `submitted_token` against the stored CSRF token using constant-time comparison. It does not create a token when none exists, so a request without a previously rendered form token fails closed.

Use this before mutating state from POST forms or other browser-submitted requests.

:example
String token = csrf_token("uce-doc-session");
print(csrf_valid(token, "uce-doc-session") ? "valid\n" : "invalid\n");
print(csrf_valid("bad-token", "uce-doc-session") ? "bad valid\n" : "bad invalid\n");

:see
>http
csrf_token
csrf_rotate
crypto_equal
session_start
