diff --git a/composer.json b/composer.json
index b3331228..1d2d8ca7 100755
--- a/composer.json
+++ b/composer.json
@@ -13,6 +13,8 @@
 		"phpmailer/phpmailer": "5.2.6",
 		"symfony/http-foundation": "2.4.*",
 		"php-pushover/php-pushover": "dev-master",
-		"twig/twig": "1.*"
+		"twig/twig": "1.*",
+		"paragonie/random_compat" : "1.1.6",
+		"indigophp/hash-compat" : "1.1.0"
 	}
 }
diff --git a/src/includes/psmconfig.inc.php b/src/includes/psmconfig.inc.php
index 68de7b4c..b5ac6468 100644
--- a/src/includes/psmconfig.inc.php
+++ b/src/includes/psmconfig.inc.php
@@ -29,7 +29,7 @@
 /**
  * Current PSM version
  */
-define('PSM_VERSION', '3.1.1');
+define('PSM_VERSION', '3.1.2');
 
 /**
  * URL to check for updates. Will not be checked if turned off on config page.
diff --git a/src/psm/Module/User/Controller/UserController.class.php b/src/psm/Module/User/Controller/UserController.class.php
index f29fa6c9..74f05535 100644
--- a/src/psm/Module/User/Controller/UserController.class.php
+++ b/src/psm/Module/User/Controller/UserController.class.php
@@ -51,6 +51,23 @@ class UserController extends AbstractController {
 			'index', 'edit', 'delete', 'save',
 		), 'index');
 		$this->twig->addGlobal('subtitle', psm_get_lang('menu', 'user'));
+		$this->twig->addFunction(
+		    new \Twig_SimpleFunction(
+		        'form_token',
+		        function($lock_to = null) {
+		            if (empty($_SESSION['token'])) {
+		                $_SESSION['token'] = bin2hex(random_bytes(32));
+		            }
+		            if (empty($_SESSION['token2'])) {
+		                $_SESSION['token2'] = random_bytes(32);
+		            }
+		            if (empty($lock_to)) {
+		                return $_SESSION['token'];
+		            }
+		            return hash_hmac('sha256', $lock_to, $_SESSION['token2']);
+		        }
+		    )
+		);
 	}
 
 	public function initialize() {
@@ -220,7 +237,9 @@ class UserController extends AbstractController {
 			return $this->executeIndex();
 		}
 		$user_id = (isset($_GET['id'])) ? intval($_GET['id']) : 0;
-
+		if (!hash_equals($_POST['token'], $_SESSION['token'])) {
+			return $this->executeIndex();
+		}
 		$fields = array('name', 'user_name', 'password', 'password_repeat', 'level', 'mobile', 'pushover_key', 'pushover_device', 'email');
 		$clean = array();
 		foreach($fields as $field) {
diff --git a/src/templates/default/module/user/profile.tpl.html b/src/templates/default/module/user/profile.tpl.html
index f6c78f99..d7b1e942 100644
--- a/src/templates/default/module/user/profile.tpl.html
+++ b/src/templates/default/module/user/profile.tpl.html
@@ -68,4 +68,5 @@
 		</div>
 	</div>
 	 </fieldset>
-</form>
\ No newline at end of file
+	 <input type="hidden" name="token" value="{{ form_token() }}" />
+</form>
diff --git a/src/templates/default/module/user/user/update.tpl.html b/src/templates/default/module/user/user/update.tpl.html
index 8c587117..e95f66b2 100644
--- a/src/templates/default/module/user/user/update.tpl.html
+++ b/src/templates/default/module/user/user/update.tpl.html
@@ -79,4 +79,5 @@
 			<button class="btn" onclick="history.back();return false;" >{{ label_go_back }}</button>
 		</div>
 	 </fieldset>
-</form>
\ No newline at end of file
+	 <input type="hidden" name="token" value="{{ form_token() }}" />
+</form>