From what I’ve learned so far, the purpose of tokens is to prevent an attacker from forging a form submission.
For example, if a website had a form that input added items to your shopping cart, and an attacker could spam your shopping cart with items you don’t want.
This makes sense because there could be multiple valid inputs for the shopping cart form, all the attacker would have to do is know an item that the website is selling.
I understand how tokens work and add security in this case, because they ensure the user has actually filled in and pressed the “Submit” button of the form for each item added to the cart.
However, do tokens add any security to a user login form, which requires a username and password?
Since the username and password are very unique the attacker would have to know both in order for the login forgery to work (even if you didn’t have tokens setup), and if an attacker already knew that, he could just sign onto the website himself. Not to mention, a CSRF attack that makes the user log himself in wouldn’t have any practical purpose anyway.
Is my understanding of CSRF attacks and tokens correct? And are they useless for user login forms as I suspect?
