Thanks, Yuri!
]]>The idea is /login is not supposed to work unless the token is provided. The https://www.drupal.org/node/2424977 screenshots of the RESTClient output,
imply a protocol in which you need to get first CSRF token to login, and then second one from login response for the rest of the session.
So, the better question would be why Drupal doesn’t reject login requests that do not present a CSRF Token.
]]>