Checklist

• I have verified that that issue exists against the master branch of Django REST framework.
• I have searched for similar issues in both open and closed tickets and cannot find a duplicate.
• This is not a usage question. (Those should be directed to the discussion group instead.)
• This cannot be dealt with as a third party library. (We prefer new functionality to be in the form of third party libraries where possible.)
• I have reduced the issue to the simplest possible case.
• I have included a failing test as a pull request. (If you are unable to do so we can still accept the issue.)

Steps to reproduce

1. Install Django and Django REST Framework as per the instructions in the quickstart
2. Set CSRF_USE_SESSIONS = True in settings
3. Navigate to /users/ and create a new user using "Post"
4. Click "Put" to update the user

Expected behavior

The PUT request is accepted

Actual behavior

Django returns a 403 and indicates a CSRF failure

Additional Information

When using session-based CSRF, no cookie is sent to the browser. For any unsafe method except POST, the CSRF token is not in the form, and even if it is included Django ignores it if the method is not POST (see CsrfViewMiddleware.process_view()).