I dont think anyone really wants to remove CSRF tokens from the login page. They have a use, no matter how small the risk. The protection is basically against people that dont have access to your login screen, but somehow manage to (make you) post to your login screen anyways. Thats enough reason to have sessions in the login screen, and Rosali should probably use a shell script to run those crontabs. Thats a much cleaner solution.
- what if your mailserver has rate-controls
Well, stop clicking that forged link then :)
Cor