I had tried to remove it, thinking the `csrf` one wasn't used because
`identity` used `csrf_token` but unfortunately the `session` module
still used `csrf` and deleted it from the model during the response
transform. Instead, let the `csrf` value stick to the model to be
available on session object and mark the `csrf_token` value as the
deprecated one in the backend. Support for that will drop further in
the future.