Regarding the Security advisory published here : https://jenkins.io/doc/upgrade-guide/2.176/#SECURITY-626, there's some improved CSRF protection (SECURITY-626).

1. Basically CSRF tokens (crumbs) are now only valid for the web session for which they were created. I want to understand here if there was any major issue with CSRF to introduce this change?

2. Also, to disable this improvement we can set the system property 

hudson.security.csrf.DefaultCrumbIssuer.EXCLUDE_SESSION_ID to true. 

Is this property setting a workaround to make CSRF protection backward compatible or is this going to be deprecated in future and crumb requests have to use cookies compulsorily?