User does not necessarily knows what CSRF is, and tends to get scared by
this, thinking he has abused something. On the other hand users tend to
know what session expiry means.
MINOR: change the ugly user-facing CSRF message to more friendly
Hmm, we need to fix this properly. It's useful to know there's a CSRF problem so you can see it in the error logs, but the user should be automatically taken back to their form with the nice message, rather than see a nice message on a blank page.
Yeah, I think for user facing errors, that's a more appropriate (less scary) message. As Sean says, it'd be good to log more detail (on an info level). Let's hope the GSOC project we've got around logging will get to that level of detail :)