diff --git a/public/include/classes/csrftoken.class.php b/public/include/classes/csrftoken.class.php
index b0e59204..68f8e427 100644
--- a/public/include/classes/csrftoken.class.php
+++ b/public/include/classes/csrftoken.class.php
@@ -19,9 +19,8 @@ class CSRFToken Extends Base {
     $hour = $data[3];     $minute = $data[4];     $second = $data[5];
     $salt1 = $this->salt; $salt2 = $this->salty;  $seed = $salt1;
     $lead = $this->config['csrf']['leadtime'];
-    if ($lead >= 11) { $lead = 10; }
-    if ($lead <= 0) { $lead = 3; }
-    if ($minute == 59 && $second > (60-$lead)) {
+    $lead_sec = ($lead <= 11 && $lead >= 0) ? $lead : 3;
+    if ($minute == 59 && $second > (60-$lead_sec)) {
       $minute = 0;
       $fhour = ($hour == 23) ? $hour = 0 : $hour+=1;
     }
@@ -36,9 +35,17 @@ class CSRFToken Extends Base {
   }
   
   /**
-   * Gets the HTML image (?) with short csrf description for users for the incorrect
-   * token error message
-   * @param dowhat string What will be put in the string "Simply $dowhat again to..."
+   * Convenience method to get a token expired message with a token type, and ? image with description
+   * @param string $tokentype if you want a specific tokentype, set it here
+   * @param string $dowhat What will be put in the string "Simply $dowhat again to...", default is try
+   */
+  public static function getErrorWithDescriptionHTML($tokentype="", $dowhat="try") {
+    return ($tokentype !== "") ? "$tokentype token expired, please try again ".self::getDescriptionImageHTML($dowhat) : "Token expired, please try again ".self::getDescriptionImageHTML($dowhat);
+  }
+  
+  /**
+   * Gets the HTML image (?) with short csrf description for users for the incorrect token error message
+   * @param dowhat string What will be put in the string "Simply $dowhat again to...", default is try
    * @return string HTML image with description
    */
   public static function getDescriptionImageHTML($dowhat="try") {
diff --git a/public/include/config/global.inc.dist.php b/public/include/config/global.inc.dist.php
index 796c54af..66b13f50 100644
--- a/public/include/config/global.inc.dist.php
+++ b/public/include/config/global.inc.dist.php
@@ -134,23 +134,19 @@ $config['twofactor']['options']['changepw'] = true;
  *   form is submitted.
  *
  * Options:
- *   enabled    =   Whether or not we will generate/check for valid CSRF tokens
- *   sitewide   =   Require a valid CSRF token for most* forms, does not override form specific settings
- *                   * contact, account edit, workers, notifications, invites, registration, passsword resets
- *   login      =   Use and check login-specific CSRF token
- *   leadtime   =   Length of time in seconds to give as leeway between minute switches
- *                   * Don't change this unless you know why you're changing it
- *
+ *   enabled          =   Whether or not we will generate/check for valid CSRF tokens
+ *   leadtime         =   Length of time in seconds to give as leeway between minute switches
+ *                         * Don't change this unless you know why you're changing it
+ *   disabled_forms   =   Which forms you want to disable csrf protection on, if enabled  
+ *                         * Valid options  :  contact, accountedit, workers, notifications, invite, register, passreset, unlockaccount
  * Default:
- *   enabled    =   true
- *   sitewide   =   true
- *   login      =   true
- *   leadtime   =   3
+ *   enabled          =   true
+ *   leadtime         =   3
+ *   disabled_forms   =   array();
  */
 $config['csrf']['enabled'] = true;
-$config['csrf']['options']['sitewide'] = true;
-$config['csrf']['forms']['login'] = true;
 $config['csrf']['leadtime'] = 3;
+$config['csrf']['disabled_forms'] = array();
 
 /**
  * Lock account after maximum failed logins
diff --git a/public/include/pages/account/edit.inc.php b/public/include/pages/account/edit.inc.php
index 98b42c3c..4c15f2dc 100644
--- a/public/include/pages/account/edit.inc.php
+++ b/public/include/pages/account/edit.inc.php
@@ -14,7 +14,7 @@ $oldtoken_wf = (isset($_POST['wf_token']) && $_POST['wf_token'] !== '') ? $_POST
 $updating = (@$_POST['do']) ? 1 : 0;
 
 // csrf stuff 
-$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
+$csrfenabled = ($config['csrf']['enabled'] && !in_array('accountedit', $config['csrf']['disabled_forms'])) ? 1 : 0;
 if ($csrfenabled) {
   $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'editaccount') == @$_POST['ctoken']) ? 1 : 0;
 }
@@ -77,8 +77,7 @@ if ($user->isAuthenticated()) {
         $_SESSION['POPUP'][] = array('CONTENT' => $user->getError(), 'TYPE' => 'errormsg');
       }
     } else {
-      $img = $csrftoken->getDescriptionImageHTML();
-      $_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
+      $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
     }
   }
   else {
@@ -98,8 +97,7 @@ if ($user->isAuthenticated()) {
               $_SESSION['POPUP'][] = array('CONTENT' => $user->getError(), 'TYPE' => 'errormsg');
             }
           } else {
-            $img = $csrftoken->getDescriptionImageHTML();
-            $_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
+            $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
           }
         }
       } else {
@@ -119,8 +117,7 @@ if ($user->isAuthenticated()) {
         	          $_SESSION['POPUP'][] = array('CONTENT' => $iPayoutId->getError(), 'TYPE' => 'errormsg');
         	        }
         	      } else {
-        	        $img = $csrftoken->getDescriptionImageHTML();
-        	        $_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
+        	        $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
         	      }
         	    } else {
         	      $_SESSION['POPUP'][] = array('CONTENT' => 'You already have one active manual payout request.', 'TYPE' => 'errormsg');
@@ -139,8 +136,7 @@ if ($user->isAuthenticated()) {
             	$_SESSION['POPUP'][] = array('CONTENT' => 'Failed to update your account: ' . $user->getError(), 'TYPE' => 'errormsg');
               }
             } else {
-              $img = $csrftoken->getDescriptionImageHTML();
-              $_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
+              $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
             }
         	break;
         
@@ -152,8 +148,7 @@ if ($user->isAuthenticated()) {
                 $_SESSION['POPUP'][] = array('CONTENT' => $user->getError(), 'TYPE' => 'errormsg');
               }
             } else {
-              $img = $csrftoken->getDescriptionImageHTML();
-              $_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
+              $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
             }
         	break;
         }
@@ -198,7 +193,7 @@ $smarty->assign("DETAILSUNLOCKED", $ea_editable);
 $smarty->assign("CHANGEPASSSENT", $cp_sent);
 $smarty->assign("WITHDRAWSENT", $wf_sent);
 $smarty->assign("DETAILSSENT", $ea_sent);
-if ($csrfenabled) {
+if ($csrfenabled && !in_array('accountedit', $config['csrf']['disabled_forms'])) {
   $token = $csrftoken->getBasic($user->getCurrentIP(), 'editaccount');
   $smarty->assign('CTOKEN', $token);
 }
diff --git a/public/include/pages/account/invitations.inc.php b/public/include/pages/account/invitations.inc.php
index b7fd94e0..e3328f01 100644
--- a/public/include/pages/account/invitations.inc.php
+++ b/public/include/pages/account/invitations.inc.php
@@ -6,9 +6,9 @@ if (!defined('SECURITY')) die('Hacking attempt');
 if ($user->isAuthenticated()) {
   if (!$setting->getValue('disable_invitations')) {
     // csrf stuff
-    $csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
+    $csrfenabled = ($config['csrf']['enabled'] && !in_array('invitations', $config['csrf']['disabled_forms'])) ? 1 : 0;
     if ($csrfenabled) {
-      $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'invitations', 'mdyH') == @$_POST['ctoken']) ? 1 : 0;
+      $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'invitations') == @$_POST['ctoken']) ? 1 : 0;
     }
     if ($invitation->getCountInvitations($_SESSION['USERDATA']['id']) >= $config['accounts']['invitations']['count']) {
       $_SESSION['POPUP'][] = array('CONTENT' => 'You have exceeded the allowed invitations of ' . $config['accounts']['invitations']['count'], 'TYPE' => 'errormsg');
@@ -20,8 +20,7 @@ if ($user->isAuthenticated()) {
           $_SESSION['POPUP'][] = array('CONTENT' => 'Unable to send invitation to recipient: ' . $invitation->getError(), 'TYPE' => 'errormsg');
         }
       } else {
-        $img = $csrftoken->getDescriptionImageHTML();
-        $_SESSION['POPUP'][] = array('CONTENT' => "Invitation token expired, please try again $img", 'TYPE' => 'info');
+        $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
       }
     }
     $aInvitations = $invitation->getInvitations($_SESSION['USERDATA']['id']);
@@ -32,8 +31,8 @@ if ($user->isAuthenticated()) {
   }
 }
 // csrf token
-if ($csrfenabled) {
-  $token = $csrftoken->getBasic($user->getCurrentIP(), 'invitations', 'mdyH');
+if ($csrfenabled && !in_array('invitations', $config['csrf']['disabled_forms'])) {
+  $token = $csrftoken->getBasic($user->getCurrentIP(), 'invitations');
   $smarty->assign('CTOKEN', $token);
 }
 $smarty->assign('CONTENT', 'default.tpl');
diff --git a/public/include/pages/account/notifications.inc.php b/public/include/pages/account/notifications.inc.php
index c9c184a6..ff2f7c28 100644
--- a/public/include/pages/account/notifications.inc.php
+++ b/public/include/pages/account/notifications.inc.php
@@ -8,9 +8,9 @@ if ($user->isAuthenticated()) {
     $smarty->assign('CONTENT', 'empty');
   } else {
     // csrf stuff
-    $csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
+    $csrfenabled = ($config['csrf']['enabled'] && !in_array('notifications', $config['csrf']['disabled_forms'])) ? 1 : 0;
     if ($csrfenabled) {
-      $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'editnotifs', 'mdyH') == @$_POST['ctoken']) ? 1 : 0;
+      $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'editnotifs') == @$_POST['ctoken']) ? 1 : 0;
     }
     
     if (@$_REQUEST['do'] == 'save') {
@@ -21,8 +21,7 @@ if ($user->isAuthenticated()) {
           $_SESSION['POPUP'][] = array('CONTENT' => $notification->getError(), 'TYPE' => 'errormsg');
         }
       } else {
-        $img = $csrftoken->getDescriptionImageHTML();
-        $_SESSION['POPUP'][] = array('CONTENT' => "Notification token expired, please try again $img", 'TYPE' => 'info');
+        $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
       }
     }
 
@@ -34,8 +33,8 @@ if ($user->isAuthenticated()) {
     $aSettings = $notification->getNotificationSettings($_SESSION['USERDATA']['id']);
 
     // csrf token
-    if ($csrfenabled) {
-      $token = $csrftoken->getBasic($user->getCurrentIP(), 'editnotifs', 'mdyH');
+    if ($csrfenabled && !in_array('notifications', $config['csrf']['disabled_forms'])) {
+      $token = $csrftoken->getBasic($user->getCurrentIP(), 'editnotifs');
       $smarty->assign('CTOKEN', $token);
     }
     $smarty->assign('NOTIFICATIONS', $aNotifications);
diff --git a/public/include/pages/account/unlock.inc.php b/public/include/pages/account/unlock.inc.php
index fef18761..3fb4667e 100644
--- a/public/include/pages/account/unlock.inc.php
+++ b/public/include/pages/account/unlock.inc.php
@@ -3,18 +3,33 @@
 // Make sure we are called from index.php
 if (!defined('SECURITY')) die('Hacking attempt');
 
+// csrf stuff
+$csrfenabled = ($config['csrf']['enabled'] && !in_array('unlockaccount', $config['csrf']['disabled_forms'])) ? 1 : 0;
+if ($csrfenabled) {
+  $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'unlockaccount') == @$_POST['ctoken']) ? 1 : 0;
+}
+
 // Confirm an account by token
 if (!isset($_GET['token']) || empty($_GET['token'])) {
   $_SESSION['POPUP'][] = array('CONTENT' => 'Missing token', 'TYPE' => 'errormsg');
 } else if (!$aToken = $oToken->getToken($_GET['token'], 'account_unlock')) {
   $_SESSION['POPUP'][] = array('CONTENT' => 'Unable to re-activate your account. Invalid token.', 'TYPE' => 'errormsg');
 } else {
-  if ($user->setUserFailed($aToken['account_id'], 0) && $user->setUserPinFailed($aToken['account_id'], 0) && $user->changeLocked($aToken['account_id'])) {
-    $oToken->deleteToken($aToken['token']);
-    $_SESSION['POPUP'][] = array('CONTENT' => 'Account re-activated. Please login.');
+  if (!$csrfenabled || $csrfenabled && !$nocsrf) {
+    if ($user->setUserFailed($aToken['account_id'], 0) && $user->setUserPinFailed($aToken['account_id'], 0) && $user->changeLocked($aToken['account_id'])) {
+      $oToken->deleteToken($aToken['token']);
+      $_SESSION['POPUP'][] = array('CONTENT' => 'Account re-activated. Please login.');
+    } else {
+      $_SESSION['POPUP'][] = array('CONTENT' => 'Failed to re-activate account. Contact site support.', 'TYPE' => 'errormsg');
+    }
   } else {
-    $_SESSION['POPUP'][] = array('CONTENT' => 'Failed to re-activate account. Contact site support.', 'TYPE' => 'errormsg');
+    $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
   }
 }
+// csrf token
+if ($csrfenabled && !in_array('unlockaccount', $config['csrf']['disabled_forms'])) {
+  $token = $csrftoken->getBasic($user->getCurrentIP(), 'unlockaccount');
+  $smarty->assign('CTOKEN', $token);
+}
 $smarty->assign('CONTENT', 'default.tpl');
 ?>
diff --git a/public/include/pages/account/workers.inc.php b/public/include/pages/account/workers.inc.php
index 96a076d8..42e03b3e 100644
--- a/public/include/pages/account/workers.inc.php
+++ b/public/include/pages/account/workers.inc.php
@@ -4,9 +4,9 @@ if (!defined('SECURITY')) die('Hacking attempt');
 
 if ($user->isAuthenticated()) {
   // csrf stuff
-  $csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
+  $csrfenabled = ($config['csrf']['enabled'] && !in_array('workers', $config['csrf']['disabled_forms'])) ? 1 : 0;
   if ($csrfenabled) {
-    $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'workers', 'mdyH') == @$_POST['ctoken']) ? 1 : 0;
+    $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'workers') == @$_POST['ctoken']) ? 1 : 0;
   }
   
   switch (@$_REQUEST['do']) {
@@ -25,8 +25,7 @@ if ($user->isAuthenticated()) {
         $_SESSION['POPUP'][] = array('CONTENT' => $worker->getError(), 'TYPE' => 'errormsg');
       }
     } else {
-      $img = $csrftoken->getDescriptionImageHTML();
-      $_SESSION['POPUP'][] = array('CONTENT' => "Worker token expired, please try again $img", 'TYPE' => 'info');
+      $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
     }
     break;
   case 'update':
@@ -37,8 +36,7 @@ if ($user->isAuthenticated()) {
         $_SESSION['POPUP'][] = array('CONTENT' => $worker->getError(), 'TYPE' => 'errormsg');
       }
     } else {
-      $img = $csrftoken->getDescriptionImageHTML();
-      $_SESSION['POPUP'][] = array('CONTENT' => "Worker token expired, please try again $img", 'TYPE' => 'info');
+      $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
     }
     break;
   }
@@ -49,8 +47,8 @@ if ($user->isAuthenticated()) {
   $smarty->assign('WORKERS', $aWorkers);
 }
 // csrf token
-if ($csrfenabled) {
-  $token = $csrftoken->getBasic($user->getCurrentIP(), 'workers', 'mdyH');
+if ($csrfenabled && !in_array('workers', $config['csrf']['disabled_forms'])) {
+  $token = $csrftoken->getBasic($user->getCurrentIP(), 'workers');
   $smarty->assign('CTOKEN', $token);
 }
 $smarty->assign('CONTENT', 'default.tpl');
diff --git a/public/include/pages/contactform.inc.php b/public/include/pages/contactform.inc.php
index 9b46c4db..821f1a77 100644
--- a/public/include/pages/contactform.inc.php
+++ b/public/include/pages/contactform.inc.php
@@ -15,7 +15,7 @@ if ($setting->getValue('disable_contactform')) {
     $smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key')));
   }
   // csrf token
-  if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
+  if ($config['csrf']['enabled'] && !in_array('contact', $config['csrf']['disabled_forms'])) {
     $token = $csrftoken->getBasic($user->getCurrentIP(), 'contact');
     $smarty->assign('CTOKEN', $token);
   }
diff --git a/public/include/pages/contactform/contactform.inc.php b/public/include/pages/contactform/contactform.inc.php
index 483e6b3e..3c85df09 100644
--- a/public/include/pages/contactform/contactform.inc.php
+++ b/public/include/pages/contactform/contactform.inc.php
@@ -3,7 +3,6 @@
 // Make sure we are called from index.php
 if (!defined('SECURITY')) die('Hacking attempt');
 
-
 if ($setting->getValue('recaptcha_enabled')) {
   // Load re-captcha specific data
   require_once(INCLUDE_DIR . '/lib/recaptchalib.php');
@@ -16,9 +15,9 @@ if ($setting->getValue('recaptcha_enabled')) {
 }
 
 // csrf if enabled
-$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
+$csrfenabled = ($config['csrf']['enabled'] && !in_array('contact', $config['csrf']['disabled_forms'])) ? 1 : 0;
 if ($csrfenabled) {
-  $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'invitations', 'mdyH') == @$_POST['ctoken']) ? 1 : 0;
+  $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'contact') == @$_POST['ctoken']) ? 1 : 0;
 }
 
 if ($setting->getValue('disable_contactform')) {
@@ -31,8 +30,7 @@ if ($setting->getValue('disable_contactform')) {
     if ($rsp->is_valid) {
       // Check if csrf is enabled and fail if token is invalid
       if (!$nocsrf && $csrfenabled) {
-        $img = $csrftoken->getDescriptionImageHTML();
-        $_SESSION['POPUP'][] = array('CONTENT' => "Contact token expired, please try again $img", 'TYPE' => 'info');
+        $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
       } else {
         $smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key')));
         if ($mail->contactform($_POST['senderName'], $_POST['senderEmail'], $_POST['senderSubject'], $_POST['senderMessage'])) {
@@ -53,8 +51,7 @@ if ($setting->getValue('disable_contactform')) {
   } else {
     // Check if csrf is enabled and fail if token is invalid
     if (!$nocsrf && $csrfenabled) {
-      $img = $csrftoken->getDescriptionImageHTML();
-      $_SESSION['POPUP'][] = array('CONTENT' => "Contact token expired, please try again $img", 'TYPE' => 'info');
+      $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
     } else if ($mail->contactform($_POST['senderName'], $_POST['senderEmail'], $_POST['senderSubject'], $_POST['senderMessage'])) {
       $_SESSION['POPUP'][] = array('CONTENT' => 'Thanks for sending your message! We will get back to you shortly');
     } else {
@@ -64,8 +61,8 @@ if ($setting->getValue('disable_contactform')) {
 }
 
 // csrf token
-if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
-  $token = $csrftoken->getBasic($user->getCurrentIP(), 'contact', 'mdyH');
+if ($config['csrf']['enabled'] && !in_array('contact', $config['csrf']['disabled_forms'])) {
+  $token = $csrftoken->getBasic($user->getCurrentIP(), 'contact');
   $smarty->assign('CTOKEN', $token);
 }
 // Tempalte specifics
diff --git a/public/include/pages/home.inc.php b/public/include/pages/home.inc.php
index c4dbe852..3033c160 100644
--- a/public/include/pages/home.inc.php
+++ b/public/include/pages/home.inc.php
@@ -23,7 +23,7 @@ if (!$smarty->isCached('master.tpl', $smarty_cache_key)) {
   $debug->append('Using cached page', 3);
 }
 // csrf token
-if ($config['csrf']['enabled'] && $config['csrf']['forms']['login']) {
+if ($config['csrf']['enabled'] && !in_array('login', $config['csrf']['disabled_forms'])) {
   $token = $csrftoken->getBasic($user->getCurrentIP(), 'login');
   $smarty->assign('CTOKEN', $token);
 }
diff --git a/public/include/pages/login.inc.php b/public/include/pages/login.inc.php
index cd8248f7..09f5e1e8 100644
--- a/public/include/pages/login.inc.php
+++ b/public/include/pages/login.inc.php
@@ -4,7 +4,7 @@
 if (!defined('SECURITY')) die('Hacking attempt');
 
 // csrf if enabled
-$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['forms']['login']) ? 1 : 0;
+$csrfenabled = ($config['csrf']['enabled'] && !in_array('login', $config['csrf']['disabled_forms'])) ? 1 : 0;
 if ($csrfenabled) {
   $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'login') == @$_POST['ctoken']) ? 1 : 0;
 }
@@ -59,13 +59,11 @@ if ($setting->getValue('maintenance') && !$user->isAdmin($user->getUserId($_POST
       $_SESSION['POPUP'][] = array('CONTENT' => 'Unable to login: '. $user->getError(), 'TYPE' => 'errormsg');
     }
   } else {
-    // csrf enabled and invalid csrf token
-    $img = $csrftoken->getDescriptionImageHTML();
-    $_SESSION['POPUP'][] = array('CONTENT' => "Login token expired, please try again $img", 'TYPE' => 'info');
+    $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
   }
 }
 // csrf token
-if ($csrfenabled) {
+if ($csrfenabled && !in_array('login', $config['csrf']['disabled_forms'])) {
   $token = $csrftoken->getBasic($user->getCurrentIP(), 'login');
   $smarty->assign('CTOKEN', $token);
 }
diff --git a/public/include/pages/logout.inc.php b/public/include/pages/logout.inc.php
index 6a537c1d..30425851 100644
--- a/public/include/pages/logout.inc.php
+++ b/public/include/pages/logout.inc.php
@@ -7,5 +7,4 @@ if (!defined('SECURITY'))
 // This probably (?) never fails
 $user->logoutUser();
 $smarty->assign("CONTENT", "default.tpl");
-// header('Location: index.php?page=home');
 ?>
diff --git a/public/include/pages/password.inc.php b/public/include/pages/password.inc.php
index c25254d8..adc1047a 100644
--- a/public/include/pages/password.inc.php
+++ b/public/include/pages/password.inc.php
@@ -5,8 +5,8 @@ if (!defined('SECURITY'))
     die('Hacking attempt');
 
 // csrf token
-if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
-  $token = $csrftoken->getBasic($user->getCurrentIP(), 'resetaccount');
+if ($config['csrf']['enabled'] && !in_array('passreset', $config['csrf']['disabled_forms'])) {
+  $token = $csrftoken->getBasic($user->getCurrentIP(), 'resetpass');
   $smarty->assign('CTOKEN', $token);
 }
 // Tempalte specifics
diff --git a/public/include/pages/password/change.inc.php b/public/include/pages/password/change.inc.php
index 07a5e72e..2c3e08a0 100644
--- a/public/include/pages/password/change.inc.php
+++ b/public/include/pages/password/change.inc.php
@@ -5,9 +5,9 @@ if (!defined('SECURITY'))
   die('Hacking attempt');
 
 // csrf stuff
-$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
+$csrfenabled = ($config['csrf']['enabled'] && !in_array('passreset', $config['csrf']['disabled_forms'])) ? 1 : 0;
 if ($csrfenabled) {
-  // we have to use editaccount token because this can be called from 2 separate places
+  // we have to use editaccount token because this that's where we'll get pushed here from
   $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'editaccount') == @$_POST['ctoken']) ? 1 : 0;
 }
 
@@ -20,12 +20,11 @@ if (!$csrfenabled || $csrfenabled && $nocsrf) {
     }
   }
 } else {
-  $img = $csrftoken->getDescriptionImageHTML();
-  $_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
+  $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
 }
 
 // csrf token
-if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
+if ($config['csrf']['enabled'] && !in_array('passreset', $config['csrf']['disabled_forms'])) {
   $token = $csrftoken->getBasic($user->getCurrentIP(), 'editaccount');
   $smarty->assign('CTOKEN', $token);
 }
diff --git a/public/include/pages/password/reset.inc.php b/public/include/pages/password/reset.inc.php
index 9102378b..a32ce104 100644
--- a/public/include/pages/password/reset.inc.php
+++ b/public/include/pages/password/reset.inc.php
@@ -4,9 +4,9 @@
 if (!defined('SECURITY')) die('Hacking attempt');
 
 // csrf stuff
-$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
+$csrfenabled = ($config['csrf']['enabled'] && !in_array('passreset', $config['csrf']['disabled_forms'])) ? 1 : 0;
 if ($csrfenabled) {
-  $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'resetaccount') == @$_POST['ctoken']) ? 1 : 0;
+  $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'resetpass') == @$_POST['ctoken']) ? 1 : 0;
 }
 
 // Process password reset request
@@ -17,13 +17,12 @@ if (!$csrfenabled || $csrfenabled && $nocsrf) {
     $_SESSION['POPUP'][] = array('CONTENT' => htmlentities($user->getError(), ENT_QUOTES), 'TYPE' => 'errormsg');
   }
 } else {
-  $img = $csrftoken->getDescriptionImageHTML();
-  $_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
+  $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
 }
 
 // csrf token
-if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
-  $token = $csrftoken->getBasic($user->getCurrentIP(), 'resetaccount');
+if ($config['csrf']['enabled'] && !in_array('passreset', $config['csrf']['disabled_forms'])) {
+  $token = $csrftoken->getBasic($user->getCurrentIP(), 'resetpass');
   $smarty->assign('CTOKEN', $token);
 }
 // Tempalte specifics, user default template by parent page
diff --git a/public/include/pages/register.inc.php b/public/include/pages/register.inc.php
index 0ef87aae..487e67cb 100644
--- a/public/include/pages/register.inc.php
+++ b/public/include/pages/register.inc.php
@@ -15,8 +15,8 @@ if ($setting->getValue('lock_registration') && $setting->getValue('disable_invit
     $smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key'), null, true));
   }
   // csrf token
-  if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
-    $token = $csrftoken->getBasic($user->getCurrentIP(), 'register', 'mdyH');
+  if ($config['csrf']['enabled'] && !in_array('register', $config['csrf']['disabled_forms'])) {
+    $token = $csrftoken->getBasic($user->getCurrentIP(), 'register');
     $smarty->assign('CTOKEN', $token);
   }
   // Load news entries for Desktop site and unauthenticated users
diff --git a/public/include/pages/register/register.inc.php b/public/include/pages/register/register.inc.php
index deca410d..26fd12f5 100644
--- a/public/include/pages/register/register.inc.php
+++ b/public/include/pages/register/register.inc.php
@@ -18,9 +18,9 @@ if ($setting->getValue('recaptcha_enabled') && $setting->getValue('recaptcha_ena
 }
 
 // csrf if enabled
-$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
+$csrfenabled = ($config['csrf']['enabled'] && !in_array('register', $config['csrf']['disabled_forms'])) ? 1 : 0;
 if ($csrfenabled) {
-  $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'register', 'mdyH') == $_POST['ctoken']) ? 1 : 0;
+  $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'register') == $_POST['ctoken']) ? 1 : 0;
 }
 
 if ($setting->getValue('disable_invitations') && $setting->getValue('lock_registration')) {
@@ -40,16 +40,15 @@ if ($setting->getValue('disable_invitations') && $setting->getValue('lock_regist
       }
     }
   } else {
-    $img = $csrftoken->getDescriptionImageHTML('register');
-    $_SESSION['POPUP'][] = array('CONTENT' => "Register token expired, please try again $img", 'TYPE' => 'info');
+    $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
   }
 }
 
 // We load the default registration template instead of an action specific one
 $smarty->assign("CONTENT", "../default.tpl");
 // csrf token
-if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
-  $token = $csrftoken->getBasic($user->getCurrentIP(), 'register', 'mdyH');
+if ($config['csrf']['enabled'] && !in_array('register', $config['csrf']['disabled_forms'])) {
+  $token = $csrftoken->getBasic($user->getCurrentIP(), 'register');
   $smarty->assign('CTOKEN', $token);
 }
 ?>
diff --git a/public/templates/mobile/login/default.tpl b/public/templates/mobile/login/default.tpl
index 899a990f..f1331892 100644
--- a/public/templates/mobile/login/default.tpl
+++ b/public/templates/mobile/login/default.tpl
@@ -1,6 +1,6 @@
       <form action="{$smarty.server.SCRIPT_NAME}?page=login" method="post" id="loginForm" data-ajax="false">
         <input type="hidden" name="to" value="{($smarty.request.to|default:"{$smarty.server.SCRIPT_NAME}?page=dashboard")|escape}" />
-        {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.forms.login}<input type="hidden" name="ctoken" value="{$CTOKEN}" />{/if}
+        {if $GLOBAL.csrf.enabled && !"login"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
         <p><label for="userForm">Email</label><input type="text" name="username" value="" id="userForm"></p>
         <p><label for="passForm">Password</label><input type="password" name="password" value="" id="passForm"></p>
         <center>{nocache}{$RECAPTCHA|default:"" nofilter}{/nocache}</center>
diff --git a/public/templates/mobile/password/change/default.tpl b/public/templates/mobile/password/change/default.tpl
index ecf7b987..c547b759 100644
--- a/public/templates/mobile/password/change/default.tpl
+++ b/public/templates/mobile/password/change/default.tpl
@@ -2,7 +2,7 @@
       <input type="hidden" name="token" value="{$smarty.request.token|escape}">
       <input type="hidden" name="page" value="{$smarty.request.page|escape}">
       <input type="hidden" name="action" value="{$smarty.request.action|escape}">
-      {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+      {if $GLOBAL.csrf.enabled && !"editaccount"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
       <input type="hidden" name="do" value="useToken">
       <table>
         <tr><td>New Password: </td><td><input type="password" name="newPassword"></td></tr>
diff --git a/public/templates/mobile/password/default.tpl b/public/templates/mobile/password/default.tpl
index a2fe5131..8e436b24 100644
--- a/public/templates/mobile/password/default.tpl
+++ b/public/templates/mobile/password/default.tpl
@@ -1,7 +1,7 @@
 <form action="" method="POST">
 <input type="hidden" name="page" value="password">
 <input type="hidden" name="action" value="reset">
-{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+{if $GLOBAL.csrf.enabled && !"passreset"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
   <p>If you have an email set for your account, enter your username to get your password reset</p>
   <p><input type="text" value="{$smarty.post.username|escape|default:""}" name="username" required><input class="submit small" type="submit" value="Reset"></p>
 </form>
diff --git a/public/templates/mpos/account/edit/default.tpl b/public/templates/mpos/account/edit/default.tpl
index 23f60066..0d43fcc8 100644
--- a/public/templates/mpos/account/edit/default.tpl
+++ b/public/templates/mpos/account/edit/default.tpl
@@ -56,7 +56,7 @@
     <footer>
       <div class="submit_link">
       {nocache}
-        {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+        {if $GLOBAL.csrf.enabled && !"accountedit"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
         <input type="hidden" name="ea_token" value="{$smarty.request.ea_token|escape|default:""}">
         <input type="hidden" name="utype" value="account_edit">
         {if $GLOBAL.twofactor.enabled && $GLOBAL.twofactor.options.details}
@@ -106,7 +106,7 @@
       <div class="submit_link">
       {nocache}
         <input type="hidden" name="wf_token" value="{$smarty.request.wf_token|escape|default:""}">
-        {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+        {if $GLOBAL.csrf.enabled && !"accountedit"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
         <input type="hidden" name="utype" value="withdraw_funds">
         {if $GLOBAL.twofactor.enabled && $GLOBAL.twofactor.options.withdraw}
           {if $WITHDRAWSENT == 1 && $WITHDRAWUNLOCKED == 1}
@@ -159,7 +159,7 @@
       <div class="submit_link">
       {nocache}
         <input type="hidden" name="cp_token" value="{$smarty.request.cp_token|escape|default:""}">
-        {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+        {if $GLOBAL.csrf.enabled && !"accountedit"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
         <input type="hidden" name="utype" value="change_pw">
         {if $GLOBAL.twofactor.enabled && $GLOBAL.twofactor.options.changepw}
           {if $CHANGEPASSSENT == 1 && $CHANGEPASSUNLOCKED == 1}
@@ -183,7 +183,7 @@
   <input type="hidden" name="page" value="{$smarty.request.page|escape}">
   <input type="hidden" name="action" value="{$smarty.request.action|escape}">
   <input type="hidden" name="do" value="genPin">
-  {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+  {if $GLOBAL.csrf.enabled && !"editaccount"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
 	<article class="module width_half">
 	  <header>
 		  <h3>Reset PIN</h3>
diff --git a/public/templates/mpos/account/invitations/default.tpl b/public/templates/mpos/account/invitations/default.tpl
index 59615fff..81465ec2 100644
--- a/public/templates/mpos/account/invitations/default.tpl
+++ b/public/templates/mpos/account/invitations/default.tpl
@@ -2,7 +2,7 @@
   <input type="hidden" name="page" value="{$smarty.request.page|escape}">
   <input type="hidden" name="action" value="{$smarty.request.action|escape}">
   <input type="hidden" name="do" value="sendInvitation">
-  {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+  {if $GLOBAL.csrf.enabled && !"invite"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
   <article class="module width_quarter">
     <header><h3>Invitation</h3></header>
     <div class="module_content">
diff --git a/public/templates/mpos/account/notifications/default.tpl b/public/templates/mpos/account/notifications/default.tpl
index 8c0c56e1..9c8888b9 100644
--- a/public/templates/mpos/account/notifications/default.tpl
+++ b/public/templates/mpos/account/notifications/default.tpl
@@ -2,7 +2,7 @@
   <input type="hidden" name="page" value="{$smarty.request.page|escape}">
   <input type="hidden" name="action" value="{$smarty.request.action|escape}">
   <input type="hidden" name="do" value="save">
-  {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+  {if $GLOBAL.csrf.enabled && !"notifications"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
   <article class="module width_quarter">
     <header>
       <h3>Notification Settings</h3>
diff --git a/public/templates/mpos/account/workers/default.tpl b/public/templates/mpos/account/workers/default.tpl
index 5682acd0..b921f769 100644
--- a/public/templates/mpos/account/workers/default.tpl
+++ b/public/templates/mpos/account/workers/default.tpl
@@ -4,7 +4,7 @@
     <input type="hidden" name="page" value="{$smarty.request.page|escape}">
     <input type="hidden" name="action" value="{$smarty.request.action|escape}">
     <input type="hidden" name="do" value="add">
-    {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+    {if $GLOBAL.csrf.enabled && !"workers"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
     <div class="module_content">
       <fieldset>
         <label>Worker Name</label>
@@ -30,7 +30,7 @@
     <input type="hidden" name="page" value="{$smarty.request.page|escape}">
     <input type="hidden" name="action" value="{$smarty.request.action|escape}">
     <input type="hidden" name="do" value="update">
-    {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+    {if $GLOBAL.csrf.enabled && !"workers"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
     <table class="tablesorter" cellspacing="0">
       <thead>
         <tr>
diff --git a/public/templates/mpos/contactform/contactform/default.tpl b/public/templates/mpos/contactform/contactform/default.tpl
index b67daabc..65928029 100644
--- a/public/templates/mpos/contactform/contactform/default.tpl
+++ b/public/templates/mpos/contactform/contactform/default.tpl
@@ -1,7 +1,7 @@
 <form action="{$smarty.server.SCRIPT_NAME}" method="post">
   <input type="hidden" name="page" value="{$smarty.request.page|escape}">
   <input type="hidden" name="action" value="contactform">
-  {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+  {if $GLOBAL.csrf.enabled && !"contact"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
     <article class="module width_3_quarter">
     <header><h3>Contact Us</h3></header>
     <div class="module_content">
diff --git a/public/templates/mpos/contactform/default.tpl b/public/templates/mpos/contactform/default.tpl
index 6d74bdc5..46669896 100644
--- a/public/templates/mpos/contactform/default.tpl
+++ b/public/templates/mpos/contactform/default.tpl
@@ -1,7 +1,7 @@
 <form action="{$smarty.server.SCRIPT_NAME}" method="post">
   <input type="hidden" name="page" value="{$smarty.request.page|escape}">
   <input type="hidden" name="action" value="contactform">
-  {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+  {if $GLOBAL.csrf.enabled && !"contact"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
     <article class="module width_3_quarter">
     <header><h3>Contact Us</h3></header>
     <div class="module_content">
diff --git a/public/templates/mpos/login/default.tpl b/public/templates/mpos/login/default.tpl
index 9dd86884..c01d7954 100644
--- a/public/templates/mpos/login/default.tpl
+++ b/public/templates/mpos/login/default.tpl
@@ -1,7 +1,7 @@
 <article class="module width_half">
   <form action="{$smarty.server.SCRIPT_NAME}?page=login" method="post" id="loginForm">
     <input type="hidden" name="to" value="{($smarty.request.to|default:"{$smarty.server.SCRIPT_NAME}?page=dashboard")|escape}" />
-    {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.forms.login}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+    {if $GLOBAL.csrf.enabled && !"login"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
     <header><h3>Login with existing account</h3></header>
     <div class="module_content">
         <fieldset>
diff --git a/public/templates/mpos/password/default.tpl b/public/templates/mpos/password/default.tpl
index 36505402..5227292b 100644
--- a/public/templates/mpos/password/default.tpl
+++ b/public/templates/mpos/password/default.tpl
@@ -2,7 +2,7 @@
   <form action="" method="POST">
     <input type="hidden" name="page" value="password">
     <input type="hidden" name="action" value="reset">
-    {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+    {if $GLOBAL.csrf.enabled && !"passreset"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
     <header><h3>Password reset</h3></header>
     <div class="module_content">
       <p>If you have an email set for your account, enter your username to get your password reset</p>
diff --git a/public/templates/mpos/register/default.tpl b/public/templates/mpos/register/default.tpl
index 4c83640b..bea79a6f 100644
--- a/public/templates/mpos/register/default.tpl
+++ b/public/templates/mpos/register/default.tpl
@@ -7,7 +7,7 @@
 {if $smarty.request.token|default:""}
     <input type="hidden" name="token" value="{$smarty.request.token|escape}" />
 {/if}
-{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+{if $GLOBAL.csrf.enabled && !"register"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
     <input type="hidden" name="action" value="register">
     <fieldset>
       <label>Username</label>