The current default crumb issuer computes a crumb based on :

• session id (unless jenkins is started with -Dhudson.security.csrf.DefaultCrumbIssuer.EXCLUDE_SESSION_ID=true)
• client ip (unless "Enable proxy compatibility" is ticked in the configuration)

https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern documents good practices regarding computation of CSRF tokens.

Using the session id to compute the crumb makes usage of the client ip unnecessary.

If would be therefore preferable to stop using client ip to compute CSRF crumb, as it provides no additional security, and degrades usability in various use cases involving load balancers.

The proposed implementation is in two phases:
1. Add an administrative monitor prompting users using EXCLUDE_SESSION_ID to stop using it. Instead migrate whatever automation that is depending on this flag to use access tokens (which don't require a CSRF crumb), or alternatively store and restore session cookies after obtaining a CSRF crumb. Another alternative is to install https://plugins.jenkins.io/strict-crumb-issuer/ and deselect session id.
2. Once phase 1 has been integrated in a Jenkins LTS, remove the ability to use EXCLUDE_SESSION_ID flag, and remove the code supporting client ip usage to compute CSRF crumb.