Fixes #4827: default config for functional tests of both basic and advanced app now turns off CSRF validation while providing commented out alternative setting cookie domain to localhost