If you only used cookies then it would be possible for an attacker to perform any action on your behalf by including an iframe on their site and forcing you to do an action.

Form tokens are not the only method you can use, I’ve done a newer post which explains various techniques:-
http://www.thespanner.co.uk/2007/08/21/protection-against-csrf-part-2/

If you randomise the URL on every login this can be a good way of protecting against CSRF but check out the examples above to see which is best for you.

It sounds like a good solution. It would be good for me but I have systems where its an issues to store server state. I try and operate with a REST model trying to ensure that there is little to no state at the server. Using cookies where possible for logins. Is it impossible to protect against this sort of attack without relying on server state?

Thanks