Where in the code does the missing token error message come from. I suspect you do not have a valid session when the login page is rendered. You can verify this by looking at the source code for the log in page in the browser. If it is blank, you know this is why.
Most people don't do CSRF checking for the login page. Wgat happens if the user logs in? He has a vallid session. But the hacker can't do anything until another update request is made. And THAT request is what you add CSRF prevention to.