Since Django 1.5.5, CSRF tokens are rotated on login. That makes it trivial to trigger a CSRF error in the following way:
- Open your app's login page in two different browser tabs.
- Log in using tab 1
- Log in using tab 2
The CSRF token sent along with the second login attempt (in a cookie) won't match the token that was embedded in the form, and so a CSRF error will be displayed.
It could be argued that the above is an odd/contrived thing to do, and so displaying a CSRF error here isn't too bad. Fine. But there's another, more subtle, way to trigger the same thing: