Add note about what method is doing

app/controllers/concerns/cookie_based_csrf.rb

@@ -12,6 +12,7 @@ module CookieBasedCsrf
     end
 
     def set_csrf_token
+      # If no JWT, reset CSRF tokens
       unless cookies[:jwt]
         cookies.delete(:_csrf_token)
         cookies.delete('x-csrf-token')