The side effect of info.magnolia.personalization.geoip.CountryDetectorFilter currently is that it triggers the session creation for even anonymous users. This is done supposedly to not invoke costly GeoIp calls upon every request, but is prone to various problems related to the anonymous user sessions:

• e.g. as had suggested - it could be prone to denial of service attacks
• it masquerades our CSRF-prevention mechanism (which kicks in only when the session is not created)