In OWASP CSRFGuard up to and including 3.1.0, CSRF can occur because the CSRF cookie may be retrieved by using only a session token.
owasp csrfguard
owasp csrfguard 4.0