Reverts to changeset 435, and just add {% csrf_token %} to template forgot_pw.html, since CSRF protection seems to be only here (surely because of django.contrib.auth.views).
{% if flash.message %}
<script type="text/javascript">
<!--
$(function() {
enqueueMsg('{{ flash.message }}');
}) ;
-->
</script>
<div id="t-msg-wrapper" class="message" style="top:30px;left:30px; position:absolute;"></div>
{% endif %}