security: document and explain session CSRF safety better

Created by: slimsag

Stacked on top of #27298

The docstring already does a good job of explaining what this function does, but it was left up to the reader to then apply that logic to the actual code. Instead, we should also make the logic flow documented so that it is easy to follow, and easy to reason about changes to this code in the future.

Signed-off-by: Stephen Gutekanst stephen@sourcegraph.com