We've run into situations where the CSRF tokens aren't always fully purged for some reason and users end up with two tokens, which causes them failures. When users are logged out, the JS should additionally clear all cookies associated with the domain, as an extra reliability measure.

Looks like the cases we're seeing this it's due to conflicting XSRF cookies in a domain, so the proper fix is to use a cookie name that's unique to confidant.

Fixed in 1.3.0