That's to protect against cross site request forgery. This is setting sensitive attributes via post. If a post has the authentication token, it can still set sensitive attributes.