Rather than using a separate named value to keep track of the current
CSRF token, simply treat this as part of the session state.