Django's new CSRF protection appears to be much more strict. If using django.middleware.csrf.CsrfViewMiddleware, any POST must contain a valid csrf_token. Furthermore, if you use django.contrib.auth.views.login, you now have to use this middleware.
The effect of this is that any POST sent to piston fails the csrf check.
It's possible to bypass this check by adding a decorator to your views, but that doesn't work for instances of piston.Resource. A simple solution is to mimic Django's decorator by setting an attribute in the piston.Resource constructor:
self.csrf_exempt = getattr(self.handler, 'csrf_exempt', True)
There very well may be a better way to handle this, but this solution works. Note this is using rev 11682 of django trunk.