Do login forms need tokens against CSRF attacks?

Question

From what I\'ve learned so far, the purpose of tokens is to prevent an attacker from forging a form submission.

For example, if a website had a form that input added

Answer 1

Your understanding is correct -- the whole point of CSRF is that the attacker can forge a legitimate-looking request from beforehand. But this cannot be done with a login form unless the attacker knows the victim's username and password, in which case there are more efficient ways to attack (log in yourself).

Ultimately the only thing that an attacker can do is inconvenience your users by spamming failed logins, when the security system might lock out the user for a period of time.