@SeanWrightSec Yes, being able to login is near useless if everything else has CSRF protections. It's too often the other way round though - so if you already have a valid session (i.e. no need to login), it's possible to hit config pages and make changes silently.