diff --git a/htdocs/index.php b/htdocs/index.php
index 4c27538a..4ea09b34 100644
--- a/htdocs/index.php
+++ b/htdocs/index.php
@@ -386,6 +386,7 @@
 if (isset($question)) { $smarty->assign('question', $question); }
 
 if (isset($login)) { $smarty->assign('login', $login); }
+if (isset($formtoken)) { $smarty->assign('formtoken', $formtoken); }
 if (isset($usermail)) { $smarty->assign('usermail', $usermail); }
 if (isset($displayname[0])) { $smarty->assign('displayname', $displayname[0]); }
 if (isset($encrypted_sms_login)) { $smarty->assign('encrypted_sms_login', $encrypted_sms_login); }
diff --git a/htdocs/sendtoken.php b/htdocs/sendtoken.php
index f08455e6..9081a155 100644
--- a/htdocs/sendtoken.php
+++ b/htdocs/sendtoken.php
@@ -32,6 +32,7 @@
 $userdn = "";
 $token = "";
 $usermail = "";
+$formtoken = "";
 
 if (!$mail_address_use_ldap) {
     if (isset($_POST["mail"]) and $_POST["mail"]) {
@@ -48,7 +49,26 @@
 if (isset($_REQUEST["login"]) and $_REQUEST["login"]) { $login = strval($_REQUEST["login"]);}
 else { $result = "loginrequired";}
 
-if (! isset($_POST["mail"]) and ! isset($_REQUEST["login"])) { $result = "emptysendtokenform"; }
+if ( $result === "" and ( ! isset($_REQUEST["formtoken"]) or ! $_REQUEST["formtoken"] )  ) {
+    $result = "missingformtoken";
+}
+
+if (! isset($_POST["mail"]) and ! isset($_REQUEST["login"])) {
+
+    $result = "emptysendtokenform";
+
+    # Generate formtoken
+    ini_set("session.use_cookies",0);
+    ini_set("session.use_only_cookies",1);
+    ini_set("session.use_strict_mode",0);
+    session_name("formtoken");
+    session_id(session_create_id());
+    session_start();
+    $formtoken = session_id();
+    $_SESSION['formtoken'] = $formtoken;
+    error_log("generated token: " . $formtoken);
+    session_write_close();
+}
 
 # Check the entered username for characters that our installation doesn't support
 if ( $result === "" ) {
@@ -162,7 +182,34 @@
     } else {
         $token = session_id();
     }
+    session_write_close();
+}
+
 
+#==============================================================================
+# Check tokenform
+#==============================================================================
+
+if ( !$result ) {
+    $formtoken = strval($_REQUEST["formtoken"]);
+    ini_set("session.use_cookies",0);
+    ini_set("session.use_only_cookies",1);
+    ini_set("session.use_strict_mode",0);
+    session_name("formtoken");
+    session_id($formtoken);
+    session_start();
+    if( $_SESSION['formtoken'] == $formtoken )
+    {
+        # Remove session
+        session_unset();
+        session_destroy();
+    }
+    else
+    {
+        error_log("Invalid form token: sent: $formtoken, stored: " . $_SESSION['formtoken']);
+        $result = "invalidformtoken";
+    }
+    session_write_close();
 }
 
 #==============================================================================
@@ -170,6 +217,7 @@
 #==============================================================================
 if ( !$result ) {
 
+
     $reset_url .= "?action=resetbytoken&token=".urlencode($token);
 
     if ( !empty($reset_request_log) ) {
diff --git a/lang/ar.inc.php b/lang/ar.inc.php
index cb62d52c..479f0323 100644
--- a/lang/ar.inc.php
+++ b/lang/ar.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "رقم الرسائل القصيرة لا يتطابق مع اسم المستخدم.";
 $messages['sameasaccountpassword'] = "كلمة المرور الجديدة مطابقة لكلمة مرور تسجيل الدخول";
 $messages['policynoreusecustompwdfield'] = "لا يجب ان تكون كلمة المرور الجديدة هي نفسها كلمة مرور تسجيل الدخول";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/ca.inc.php b/lang/ca.inc.php
index 441075d6..2553a9e1 100644
--- a/lang/ca.inc.php
+++ b/lang/ca.inc.php
@@ -181,3 +181,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/cn.inc.php b/lang/cn.inc.php
index 677360d7..938ada69 100644
--- a/lang/cn.inc.php
+++ b/lang/cn.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/cs.inc.php b/lang/cs.inc.php
index c2b28030..948b5ad3 100644
--- a/lang/cs.inc.php
+++ b/lang/cs.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/de.inc.php b/lang/de.inc.php
index 08e1284c..4ec135b5 100644
--- a/lang/de.inc.php
+++ b/lang/de.inc.php
@@ -179,3 +179,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/ee.inc.php b/lang/ee.inc.php
index b50419e4..2c78578f 100644
--- a/lang/ee.inc.php
+++ b/lang/ee.inc.php
@@ -178,3 +178,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/el.inc.php b/lang/el.inc.php
index fb4cc688..58136200 100644
--- a/lang/el.inc.php
+++ b/lang/el.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/en.inc.php b/lang/en.inc.php
index 40415978..28b4c6c0 100644
--- a/lang/en.inc.php
+++ b/lang/en.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/es.inc.php b/lang/es.inc.php
index 9240fe52..6c586c29 100644
--- a/lang/es.inc.php
+++ b/lang/es.inc.php
@@ -179,3 +179,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/eu.inc.php b/lang/eu.inc.php
index df21e91d..9b74f0c6 100644
--- a/lang/eu.inc.php
+++ b/lang/eu.inc.php
@@ -177,3 +177,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/fr.inc.php b/lang/fr.inc.php
index 84e9f4cd..0cc96047 100644
--- a/lang/fr.inc.php
+++ b/lang/fr.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "Le numéro de téléphone ne correspond pas à l'identifiant donné.";
 $messages['sameasaccountpassword'] = "Votre nouveau mot de passe est identique à votre mot de passe de connexion";
 $messages['policynoreusecustompwdfield'] = "Votre nouveau mot de passe ne devrait pas être le même que le mot de passe de connexion";
+$messages['missingformtoken'] = "Jeton manquant";
+$messages['invalidformtoken'] = "Jeton invalide";
diff --git a/lang/hu.inc.php b/lang/hu.inc.php
index 6f18df55..d3fa92c9 100644
--- a/lang/hu.inc.php
+++ b/lang/hu.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/it.inc.php b/lang/it.inc.php
index 5d2654b6..2240098b 100644
--- a/lang/it.inc.php
+++ b/lang/it.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/ja.inc.php b/lang/ja.inc.php
index b54da2c0..8fc23052 100644
--- a/lang/ja.inc.php
+++ b/lang/ja.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/nb-NO.inc.php b/lang/nb-NO.inc.php
index 4a66e478..47a9804d 100644
--- a/lang/nb-NO.inc.php
+++ b/lang/nb-NO.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/nl.inc.php b/lang/nl.inc.php
index 40e561d3..8bf7a410 100644
--- a/lang/nl.inc.php
+++ b/lang/nl.inc.php
@@ -178,3 +178,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/pl.inc.php b/lang/pl.inc.php
index 8148d903..40178d3e 100644
--- a/lang/pl.inc.php
+++ b/lang/pl.inc.php
@@ -178,3 +178,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/pt-BR.inc.php b/lang/pt-BR.inc.php
index 6f0a55eb..eef7a628 100644
--- a/lang/pt-BR.inc.php
+++ b/lang/pt-BR.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/pt-PT.inc.php b/lang/pt-PT.inc.php
index 55a41073..a2091312 100644
--- a/lang/pt-PT.inc.php
+++ b/lang/pt-PT.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/rs.inc.php b/lang/rs.inc.php
index c1b7da3f..1a565980 100644
--- a/lang/rs.inc.php
+++ b/lang/rs.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/ru.inc.php b/lang/ru.inc.php
index f8092011..e6b009f8 100644
--- a/lang/ru.inc.php
+++ b/lang/ru.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/sk.inc.php b/lang/sk.inc.php
index a2a150c6..b5e3bac1 100644
--- a/lang/sk.inc.php
+++ b/lang/sk.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/sl.inc.php b/lang/sl.inc.php
index 082bed85..de165d89 100644
--- a/lang/sl.inc.php
+++ b/lang/sl.inc.php
@@ -181,3 +181,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/sv.inc.php b/lang/sv.inc.php
index 8047e266..33102d99 100644
--- a/lang/sv.inc.php
+++ b/lang/sv.inc.php
@@ -181,3 +181,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/tr.inc.php b/lang/tr.inc.php
index f5792bf0..07364888 100644
--- a/lang/tr.inc.php
+++ b/lang/tr.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/uk.inc.php b/lang/uk.inc.php
index f1dde6da..08be43d4 100644
--- a/lang/uk.inc.php
+++ b/lang/uk.inc.php
@@ -177,3 +177,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/zh-CN.inc.php b/lang/zh-CN.inc.php
index e8dcd341..f0023021 100644
--- a/lang/zh-CN.inc.php
+++ b/lang/zh-CN.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/zh-TW.inc.php b/lang/zh-TW.inc.php
index 5dee1dcd..a9d53b5d 100644
--- a/lang/zh-TW.inc.php
+++ b/lang/zh-TW.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lib/functions.inc.php b/lib/functions.inc.php
index 14df68d7..e430c822 100644
--- a/lib/functions.inc.php
+++ b/lib/functions.inc.php
@@ -60,7 +60,7 @@ function generate_sms_token( $sms_token_length ) {
 # Get message criticity
 function get_criticity( $msg ) {
 
-    if ( preg_match( "/nophpldap|phpupgraderequired|nophpmhash|nokeyphrase|ldaperror|nomatch|badcredentials|passworderror|tooshort|toobig|minlower|minupper|mindigit|minspecial|forbiddenchars|sameasold|answermoderror|answernomatch|mailnomatch|tokennotsent|tokennotvalid|notcomplex|smsnonumber|smscrypttokensrequired|nophpmbstring|nophpxml|smsnotsent|sameaslogin|pwned|invalidsshkey|sshkeyerror|specialatends|forbiddenwords|forbiddenldapfields|diffminchars|badquality|tooyoung|inhistory|throttle|attributesmoderror|insufficiententropy|noreseturl|nocrypttokens|smsnomatch|unknowncustompwdfield|sameascustompwd/" , $msg ) ) {
+    if ( preg_match( "/nophpldap|phpupgraderequired|nophpmhash|nokeyphrase|ldaperror|nomatch|badcredentials|passworderror|tooshort|toobig|minlower|minupper|mindigit|minspecial|forbiddenchars|sameasold|answermoderror|answernomatch|mailnomatch|tokennotsent|tokennotvalid|notcomplex|smsnonumber|smscrypttokensrequired|nophpmbstring|nophpxml|smsnotsent|sameaslogin|pwned|invalidsshkey|sshkeyerror|specialatends|forbiddenwords|forbiddenldapfields|diffminchars|badquality|tooyoung|inhistory|throttle|attributesmoderror|insufficiententropy|noreseturl|nocrypttokens|smsnomatch|unknowncustompwdfield|sameascustompwd|missingformtoken|invalidformtoken/" , $msg ) ) {
     return "danger";
     }
 
diff --git a/templates/sendtoken.tpl b/templates/sendtoken.tpl
index 9abdbb48..d3039460 100644
--- a/templates/sendtoken.tpl
+++ b/templates/sendtoken.tpl
@@ -20,6 +20,7 @@
             <div class="input-group">
                 <span class="input-group-text"><i class="fa fa-fw fa-user"></i></span>
                 <input type="text" name="login" id="login" value="{$login}" class="form-control" placeholder="{$msg_login}" autocomplete="off" />
+                <input type="hidden" name="formtoken" id="formtoken" value="{$formtoken}" />
             </div>
         </div>
     </div>