Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them

Note that the cookie is not changed every request, just the token retrieved
by the `get_token()` method (used also by the `{% csrf_token %}` tag).

While at it, made token validation strict: Where, before, any length was
accepted and non-ASCII chars were ignored, we now treat anything other than
`[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for
backwards-compatibility, are accepted and replaced by 64-char ones).

Thanks Trac user patrys for reporting, github user adambrenecki
for initial patch, Tim Graham for help, and Curtis Maloney,
Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne
for reviews.

tests/csrf_tests/test_context_processor.py

@@ -1,6 +1,5 @@
-import json
-
 from django.http import HttpRequest
+from django.middleware.csrf import _compare_salted_tokens as equivalent_tokens
 from django.template.context_processors import csrf
 from django.test import SimpleTestCase
 from django.utils.encoding import force_text
@@ -10,6 +9,7 @@ class TestContextProcessor(SimpleTestCase):
 
     def test_force_text_on_token(self):
         request = HttpRequest()
-        request.META['CSRF_COOKIE'] = 'test-token'
+        test_token = '1bcdefghij2bcdefghij3bcdefghij4bcdefghij5bcdefghij6bcdefghijABCD'
+        request.META['CSRF_COOKIE'] = test_token
         token = csrf(request).get('csrf_token')
-        self.assertEqual(json.dumps(force_text(token)), '"test-token"')
+        self.assertTrue(equivalent_tokens(force_text(token), test_token))