If it your opinion that the login page has to be CSFR protected then OK. BUT I don't want to have sessions started just for CSFR prevention for ANY code which is executed in not authenticated state
you refuse to understand how CSFR works
- at the first call the server generates a token
- the token is placed in a hidden filed
- before take any action the submitted token is verified
against the one from the first request
how do you genius imagine this works without storing the token in a session without start a session at all?
hint: you can't do without
The attack vector for CSRF through login page is not as useful as any attack vector once you are logged in. I mean, you are not logged in yet, so you can’t really generate any attacks that compromise your security.
There are perhaps some attacks possible if someone that also has an account on the same roundcube instance tricks you into logging into an account they control, but then you’ll be logged into their account. The possibilities for security related problems are limited, but there could be some privacy implications.
Maybe the roundcube devs can explain which attack vector they are trying to prevent by having CSRF on the login page.
Cor