Use a HMAC to sign and validate CSRF tokens, instead of generating random ones and storing them in the session data

* Use a HMAC to sign and validate CSRF tokens, instead of generating random
ones and storing them in the session data. Reduces number of writes to
sessions table and fixes kanboard issue #4942.
* Added missing CSRF check for starting/stopping subtask timers.

Co-authored-by: Willemijn Coene <willemijn@irdc.nl>

app/Controller/SubtaskStatusController.php

@@ -43,6 +43,7 @@ class SubtaskStatusController extends BaseController
      */
     public function timer()
     {
+        $this->checkReusableGETCSRFParam();
         $task = $this->getTask();
         $subtask = $this->getSubtask($task);
         $timer = $this->request->getStringParam('timer');