There's a good question at Using Pylons validate and authenticate_form decorator that brings to light the fact that if you're using @validate and @authenticate_form to decorate a Pylons controller action, @authenticate_form must come second. If not, after correcting and re-submitting the form following a failed validation, it detects a CSRF and 403s because input[type=hidden]#_authentication_token has no value.
For reasons I won't get into, I validate inside the controller action, without a decorator, per these instructions. Obviously, @authenticate_form is going to run before validation, which, for reasons stated above, is a problem.
My question: Just like validation can be done inside the controller action without a decorator, how can the same be done for cross site forgery?