I keep seeing code samples which place anti-forgery tokens on standard username/password login pages. Even the Asp.Net web project template does it.
Why? The only system state that is changed is the user's login status, and in order to even make that happen the attacker would need their username and password which would mean everything is already maximally compromised.
I just don't see the attack vector here. Am I missing something?
Expanding on IRCMaxell's answer. CSRF is by definition meant to use a user's session and/or permissions against them. A non-authenticated user isn't the target of CSRF.
Here's a useful OWASP article on the subject: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
Placing anti-forgery tokens in login forms is almost entirely for consistency's sake.
EDIT:
That last statement I made was incorrect. Another answer here correctly pointed out that "Account Fixation" attacks are possible. This means that it's possible to log someone in to a site under credentials that are not their own. This can lead to the potential disclosure of personal or financial information.
That being said, the general practice of including CSRF validation for all your webforms is a useful and often necessary practice.
The only system state that is changed is the user's login status, and in order to even make that happen the attacker would need their username and password which would mean everything is already maximally compromised.
The problem is that the attacker can use a username and password for some other account that the attacker has access to, rather than making attempt on the user's own.
Without the CSRF token, the attacker can force the user to be logged into an account that isn't their own: an account fixation attack. Depending on how the attack is started and how prominently the app displays the current account, maybe the victim won't notice, and will assume they're still logged into their own account. This might cause them to do something inappropriate, for example entering sensitive information into areas that the attacker can later log into the account to view.
What exactly an account fixation attack might lead to is highly application-specific, and for many apps there may be no practical attack possible. But for a general-purpose login form you can't tell that for sure, so yes, you should be using CSRF tokens.
