My understanding about CSRF Tokens is fairly limited.  My understanding is that osTicket uses cookies to push a token to the client (web broswer) with each authentication form.  When someone enters their username and password to log in, it sends the username, password, and token back to the server.  The server then compares the three with what it has.  When the CSRF token doesn't match, it assumes (usually rightly) that the login attempt is an attack and fails the login.

Is there a way to turn this off?  Setting cookies at all... I hate cookies.  We usually have cookies disabled in browser, anyway.  Besides, we use so many different computer systems, that this could be really bad for us.