I noticed that a lot of sites send a random token with form posts even though the user is not logged into a service requiring authentication. I understand the use of a token when you have an authenticated session, but what is the point in sending one when they aren't authenticated?
Is it common practice to create a session when a user isn't logged in and pair a token to it?
Thanks,