Salman Haq  wrote:
> I'm building a form-based authentication system for a Quixote-based
> website and was wondering what role (if any) do form tokens play in user
> authentication? The form tokens I'm referring to are the random numbers
> returned by Session.create_form_token() in the session module.

Their main purpose is to avoid cross-site request forgeries.  I
don't think to provide much extra security on login forms but
probably don't hurt anything either.

Regards,

  Neil