Sessions must be started to use CSRFGuard!