Woo, I just get to copy-paste my response to django-users!
CSRF protects you from a 3rd party web site maliciously enticing a user to initiate data changing requests to your site. It does nothing to protect a user from having their cookies jacked by a 3rd party user, and then stopping that user from maliciously using the credentials inferred from those cookies.
That this is even news is surprising - it's hardly a new attack vector. The only new thing about it is it being hooked up to a web browser and showing live feeds of what is happening, which has probably opened the eyes of people who didn't think about it before.
It's like saying 'Oh wow, you can see in plain text peoples emails on unsecured wifi networks' - well, durr, its a plain text protocol, and the whole 'unsecured nework' bit should probably give it away...
If you don't want this to happen, then force the use of SSL throughout your site, and don't hand out session cookies over HTTP.