I keep seeing code samples which place anti-forgery tokens on standard username/password login pages. Even the Asp.Net web project template does it.
Why? The only system state that is changed is the user's login status, and in order to even make that happen the attacker would need their username and password which would mean everything is already maximally compromised.
I just don't see the attack vector here. Am I missing something?
Expanding on IRCMaxell's answer. CSRF is by definition meant to use a user's session and/or permissions against them. A non-authenticated user isn't the target of CSRF.
Here's a useful OWASP article on the subject: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
Placing anti-forgery tokens in login forms is almost entirely for consistency's sake.
EDIT:
That last statement I made was incorrect. Another answer here correctly pointed out that "Account Fixation" attacks are possible. This means that it's possible to log someone in to a site under credentials that are not their own. This can lead to the potential disclosure of personal or financial information.
That being said, the general practice of including CSRF validation for all your webforms is a useful and often necessary practice.