Rails automatically adds CSRF protection to all forms by default by adding an
No, for this specific situation not. A CSRF attack allows an attacker to exploit the rights that a victim has,
It makes no sense to attack the log in form, since an attacker can log in by himself if he has the information that is required for a succesfull attack on the login field (the username and password).
The reason why Rails uses CSRF protection on the login field is simple: it's much more simple to implement CSRF protection globally then for 95% of the fields ;)