Add CSRF protection to login and password change forms
Please add a token based CSRF protection to login form and password change forms (and maybe others).
Best practices requires that the token is linked to the form+session (and not usable on another form).