Vulnerable to login/logout CSRF

[brodygov]

The app is entirely stateless and doesn't check the state or nonce parameters to double check that a received login request actually originated with this sample app.

As a result, an attacker who can convince a user to follow a link will be able to cause them to log in to the sample app even without directly visiting it first.

This has low impact even for production service providers, but it would still be good to set a better example here.

This is referenced in mastiffwasp-7