Do not pass the __csrf_token via return_url when the user is not logged-in
Passing the token seems to cause problems with web vulnerability scanners, that poison the token value. The value of passing the token value for unregistered users is questionable.
If this change is kept, it should go as well to the openacs-bootstral3.theme.