Way to select session or cookie based tokens?

[rkerr]

With the django middleware the default settings are such that the CSRF token is stored in a cookie, with an optional setting to store in a server side session instead of using the cookie.

With Flask-Seasurf it appears that the default is to store the token in both the session and the cookie, but always use the session to validate against. I can't see a way to configure things to set just the session and not the cookie, or to use just the cookie and not store/validate against the session.

There is a disable_cookie() decorator, but that appears to disable session based storage too (as the session is actually updated in _set_session_cookie), Not sure if that's intentional - feels like a bug?

Ideally it would be nice for Flask-Seasurf to have the same flexibility as the django middleware, but if not it would be good to get a way to optionally disable the cookie as it doesn't seem to be strictly required.