use hmac_sha256 instead of sha1 for csrf token