Caching login forms with Ruby on Rails

I have a Rails 3 开发者_运维百科website, for which the home page is static content plus a login form. I want to use HTTP caching on this page (we’re on Heroku - behind Varnish), but then the login form's authenticity token is cached which triggers forgery protection and prevents login for all but the first session.

I think my best course of action is to disable forgery protection for this action but first I want to understand the risks involved.

So… what are the risks of disabling forgery protection in this scenario?

Alternatively, is there a better way to solve this problem?

Bad things could happen, theres a reason CSRF is on by default. http://en.wikipedia.org/wiki/Cross-site_request_forgery#Forging_login_requests