Replaced the previous method of getting it from HTTP_POST to use
django's mechanism, which may or may not use HTTP_HOST. However if an
attacker changes the request header, there is not much he can do since
he cannot recreate the association nonce.