I don't think this token value is necessary for the login. Roundcube adds this field to every form to cross check if the request is submitted by an authenticated session. I haven't checked it, but IMO there should be no cross check for the login action.