From 8756036646952355091faec922b40e54b6657996 Mon Sep 17 00:00:00 2001
From: xisi <chaeldarrs@gmail.com>
Date: Fri, 17 Jan 2014 06:37:16 -0500
Subject: [PATCH] cleaned up account edit csrf slightly added csrf protection
 to workers under sitewide config added csrf protection to notifications under
 sitewide config added csrf protection to invitations under sitewide config
 cleaned up login page csrf cleaned up contactform/contactform page cleaned up
 register/register page moved config->csrf->forms->register to sitewide added
 login ip/user/time to notification on login

---
 public/include/classes/user.class.php         |  3 ++
 public/include/config/global.inc.dist.php     |  6 ++--
 public/include/pages/account/edit.inc.php     | 28 ++++++---------
 .../include/pages/account/invitations.inc.php | 21 ++++++++++--
 .../pages/account/notifications.inc.php       | 22 ++++++++++--
 public/include/pages/account/workers.inc.php  | 34 +++++++++++++++----
 .../pages/contactform/contactform.inc.php     | 10 +++---
 public/include/pages/login.inc.php            | 16 +++++----
 public/include/pages/register.inc.php         |  2 +-
 .../include/pages/register/register.inc.php   | 25 ++++++++------
 .../mail/notifications/success_login.tpl      |  3 ++
 .../mpos/account/invitations/default.tpl      |  1 +
 .../mpos/account/notifications/default.tpl    |  1 +
 .../mpos/account/workers/default.tpl          |  2 ++
 public/templates/mpos/register/default.tpl    |  2 +-
 15 files changed, 118 insertions(+), 58 deletions(-)

diff --git a/public/include/classes/user.class.php b/public/include/classes/user.class.php
index a9fe3f97..d238339e 100644
--- a/public/include/classes/user.class.php
+++ b/public/include/classes/user.class.php
@@ -150,6 +150,9 @@ class User extends Base {
           $aDataN['username'] = $username;
           $aDataN['email'] = $this->getUserEmail($username);
           $aDataN['subject'] = 'Successful login notification';
+          $aDataN['LOGINIP'] = $this->getCurrentIP();
+          $aDataN['LOGINUSER'] = $this->user;
+          $aDataN['LOGINTIME'] = date('m/d/y H:i:s');
           $notifs->sendNotification($uid, 'success_login', $aDataN);
         }
         return true;
diff --git a/public/include/config/global.inc.dist.php b/public/include/config/global.inc.dist.php
index 3b7562c9..f8ae62ef 100644
--- a/public/include/config/global.inc.dist.php
+++ b/public/include/config/global.inc.dist.php
@@ -135,23 +135,21 @@ $config['twofactor']['options']['changepw'] = true;
  *
  * Options:
  *   enabled    =   Whether or not we will generate/check for valid CSRF tokens
- *   sitewide   =   Require a valid CSRF token for all forms, does not override form specific settings
+ *   sitewide   =   Require a valid CSRF token for most* forms, does not override form specific settings
+ *                  * contact, account edit, workers, notifications, invites, registration
  *   leadtime   =   Length of time in seconds to give as leeway between minute switches
  *   login      =   Use and check login-specific CSRF token
- *   register   =   Use and check register-specific CSRF token
  *
  * Default:
  *   enabled    =   true
  *   sitewide   =   true
  *   leadtime   =   3
  *   login      =   true
- *   register   =   true
  */
 $config['csrf']['enabled'] = true;
 $config['csrf']['options']['sitewide'] = true;
 $config['csrf']['options']['leadtime'] = 3;
 $config['csrf']['forms']['login'] = true;
-$config['csrf']['forms']['register'] = true;
 
 /**
  * Lock account after maximum failed logins
diff --git a/public/include/pages/account/edit.inc.php b/public/include/pages/account/edit.inc.php
index 5d1d305d..0d822e86 100644
--- a/public/include/pages/account/edit.inc.php
+++ b/public/include/pages/account/edit.inc.php
@@ -17,7 +17,6 @@ $updating = (@$_POST['do']) ? 1 : 0;
 $csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
 if ($csrfenabled) {
   $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'editaccount', 'mdyH') == @$_POST['ctoken']) ? 1 : 0;
-  $csrfvalid = 0;
 }
 
 if ($user->isAuthenticated()) {
@@ -53,13 +52,8 @@ if ($user->isAuthenticated()) {
     $_SESSION['POPUP'][] = array('CONTENT' => $popupmsg, 'TYPE' => 'info');
   }
   
-  // if csrf is enabled sitewide check this token
-  if ($csrfenabled) {
-    $csrfvalid = ($nocsrf && $csrfenabled) ? 1 : 0;
-  }
-  
   if (isset($_POST['do']) && $_POST['do'] == 'genPin') {
-    if (!$csrfenabled || $csrfenabled && $csrfvalid) {
+    if (!$csrfenabled || $csrfenabled && $nocsrf) {
       if ($user->generatePin($_SESSION['USERDATA']['id'], $_POST['currentPassword'])) {
         $_SESSION['POPUP'][] = array('CONTENT' => 'Your PIN # has been sent to your email.', 'TYPE' => 'success');
       } else {
@@ -67,7 +61,7 @@ if ($user->isAuthenticated()) {
       }
     } else {
       $img = $csrftoken->getDescriptionImageHTML();
-      $_SESSION['POPUP'][] = array('CONTENT' => "Edit account token expired, please try again $img", 'TYPE' => 'info');
+      $_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
     }
   }
   else {
@@ -79,7 +73,7 @@ if ($user->isAuthenticated()) {
         $isvalid = in_array($_POST['utype'],$validtypes);
         if ($isvalid) {
           $ctype = strip_tags($_POST['utype']);
-          if (!$csrfenabled || $csrfenabled && $csrfvalid) {
+          if (!$csrfenabled || $csrfenabled && $nocsrf) {
             $send = $user->sendChangeConfigEmail($ctype, $_SESSION['USERDATA']['id']);
             if ($send) {
               $_SESSION['POPUP'][] = array('CONTENT' => 'A confirmation was sent to your e-mail, follow that link to continue', 'TYPE' => 'success');
@@ -88,7 +82,7 @@ if ($user->isAuthenticated()) {
             }
           } else {
             $img = $csrftoken->getDescriptionImageHTML();
-            $_SESSION['POPUP'][] = array('CONTENT' => "Edit account token expired, please try again $img", 'TYPE' => 'info');
+            $_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
           }
         }
       } else {
@@ -106,7 +100,7 @@ if ($user->isAuthenticated()) {
         	  $dBalance = $aBalance['confirmed'];
         	  if ($dBalance > $config['txfee']) {
         	    if (!$oPayout->isPayoutActive($_SESSION['USERDATA']['id'])) {
-        	      if (!$csrfenabled || $csrfenabled && $csrfvalid) {
+        	      if (!$csrfenabled || $csrfenabled && $nocsrf) {
         	        if ($iPayoutId = $oPayout->createPayout($_SESSION['USERDATA']['id'], $wf_token)) {
         	          $_SESSION['POPUP'][] = array('CONTENT' => 'Created new manual payout request with ID #' . $iPayoutId);
         	        } else {
@@ -114,7 +108,7 @@ if ($user->isAuthenticated()) {
         	        }
         	      } else {
         	        $img = $csrftoken->getDescriptionImageHTML();
-        	        $_SESSION['POPUP'][] = array('CONTENT' => "Edit account token expired, please try again $img", 'TYPE' => 'info');
+        	        $_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
         	      }
         	    } else {
         	      $_SESSION['POPUP'][] = array('CONTENT' => 'You already have one active manual payout request.', 'TYPE' => 'errormsg');
@@ -126,7 +120,7 @@ if ($user->isAuthenticated()) {
         	break;
         
           case 'updateAccount':
-            if (!$csrfenabled || $csrfenabled && $csrfvalid) {
+            if (!$csrfenabled || $csrfenabled && $nocsrf) {
               if ($user->updateAccount($_SESSION['USERDATA']['id'], $_POST['paymentAddress'], $_POST['payoutThreshold'], $_POST['donatePercent'], $_POST['email'], $_POST['is_anonymous'], $ea_token)) {
             	$_SESSION['POPUP'][] = array('CONTENT' => 'Account details updated', 'TYPE' => 'success');
               } else {
@@ -134,12 +128,12 @@ if ($user->isAuthenticated()) {
               }
             } else {
               $img = $csrftoken->getDescriptionImageHTML();
-              $_SESSION['POPUP'][] = array('CONTENT' => "Edit account token expired, please try again $img", 'TYPE' => 'info');
+              $_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
             }
         	break;
         
           case 'updatePassword':
-            if (!$csrfenabled || $csrfenabled && $csrfvalid) {
+            if (!$csrfenabled || $csrfenabled && $nocsrf) {
               if ($user->updatePassword($_SESSION['USERDATA']['id'], $_POST['currentPassword'], $_POST['newPassword'], $_POST['newPassword2'], $cp_token)) {
                 $_SESSION['POPUP'][] = array('CONTENT' => 'Password updated', 'TYPE' => 'success');
               } else {
@@ -147,7 +141,7 @@ if ($user->isAuthenticated()) {
               }
             } else {
               $img = $csrftoken->getDescriptionImageHTML();
-              $_SESSION['POPUP'][] = array('CONTENT' => "Edit account token expired, please try again $img", 'TYPE' => 'info');
+              $_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
             }
         	break;
         }
@@ -183,7 +177,7 @@ $smarty->assign("CHANGEPASSSENT", $cp_sent);
 $smarty->assign("WITHDRAWSENT", $wf_sent);
 $smarty->assign("DETAILSSENT", $ea_sent);
 // csrf token
-if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
+if ($csrfenabled) {
   $token = $csrftoken->getBasic($user->getCurrentIP(), 'editaccount', 'mdyH');
   $smarty->assign('CTOKEN', $token);
 }
diff --git a/public/include/pages/account/invitations.inc.php b/public/include/pages/account/invitations.inc.php
index 1fada08d..ce970e56 100644
--- a/public/include/pages/account/invitations.inc.php
+++ b/public/include/pages/account/invitations.inc.php
@@ -5,13 +5,23 @@ if (!defined('SECURITY')) die('Hacking attempt');
 
 if ($user->isAuthenticated()) {
   if (!$setting->getValue('disable_invitations')) {
+    // csrf stuff
+    $csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
+    if ($csrfenabled) {
+      $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'invitations', 'mdyH') == @$_POST['ctoken']) ? 1 : 0;
+    }
     if ($invitation->getCountInvitations($_SESSION['USERDATA']['id']) >= $config['accounts']['invitations']['count']) {
       $_SESSION['POPUP'][] = array('CONTENT' => 'You have exceeded the allowed invitations of ' . $config['accounts']['invitations']['count'], 'TYPE' => 'errormsg');
     } else if (isset($_POST['do']) && $_POST['do'] == 'sendInvitation') {
-      if ($invitation->sendInvitation($_SESSION['USERDATA']['id'], $_POST['data'])) {
-        $_SESSION['POPUP'][] = array('CONTENT' => 'Invitation sent', 'TYPE' => 'success');
+      if (!$csrfenabled || $csrfenabled && $nocsrf) {
+        if ($invitation->sendInvitation($_SESSION['USERDATA']['id'], $_POST['data'])) {
+          $_SESSION['POPUP'][] = array('CONTENT' => 'Invitation sent', 'TYPE' => 'success');
+        } else {
+          $_SESSION['POPUP'][] = array('CONTENT' => 'Unable to send invitation to recipient: ' . $invitation->getError(), 'TYPE' => 'errormsg');
+        }
       } else {
-        $_SESSION['POPUP'][] = array('CONTENT' => 'Unable to send invitation to recipient: ' . $invitation->getError(), 'TYPE' => 'errormsg');
+        $img = $csrftoken->getDescriptionImageHTML();
+        $_SESSION['POPUP'][] = array('CONTENT' => "Invitation token expired, please try again $img", 'TYPE' => 'info');
       }
     }
     $aInvitations = $invitation->getInvitations($_SESSION['USERDATA']['id']);
@@ -22,4 +32,9 @@ if ($user->isAuthenticated()) {
   }
 }
 $smarty->assign('CONTENT', 'default.tpl');
+// csrf token
+if ($csrfenabled) {
+  $token = $csrftoken->getBasic($user->getCurrentIP(), 'invitations', 'mdyH');
+  $smarty->assign('CTOKEN', $token);
+}
 ?>
diff --git a/public/include/pages/account/notifications.inc.php b/public/include/pages/account/notifications.inc.php
index 49e18496..ca53b7f2 100644
--- a/public/include/pages/account/notifications.inc.php
+++ b/public/include/pages/account/notifications.inc.php
@@ -7,11 +7,22 @@ if ($user->isAuthenticated()) {
     $_SESSION['POPUP'][] = array('CONTENT' => 'Notification system disabled by admin.', 'TYPE' => 'info');
     $smarty->assign('CONTENT', 'empty');
   } else {
+    // csrf stuff
+    $csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
+    if ($csrfenabled) {
+      $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'editnotifs', 'mdyH') == @$_POST['ctoken']) ? 1 : 0;
+    }
+    
     if (@$_REQUEST['do'] == 'save') {
-      if ($notification->updateSettings($_SESSION['USERDATA']['id'], $_REQUEST['data'])) {
-        $_SESSION['POPUP'][] = array('CONTENT' => 'Updated notification settings', 'TYPE' => 'success');
+      if (!$csrfenabled || $csrfenabled && $nocsrf) {
+        if ($notification->updateSettings($_SESSION['USERDATA']['id'], $_REQUEST['data'])) {
+          $_SESSION['POPUP'][] = array('CONTENT' => 'Updated notification settings', 'TYPE' => 'success');
+        } else {
+          $_SESSION['POPUP'][] = array('CONTENT' => $notification->getError(), 'TYPE' => 'errormsg');
+        }
       } else {
-        $_SESSION['POPUP'][] = array('CONTENT' => $notification->getError(), 'TYPE' => 'errormsg');
+        $img = $csrftoken->getDescriptionImageHTML();
+        $_SESSION['POPUP'][] = array('CONTENT' => "Notification token expired, please try again $img", 'TYPE' => 'info');
       }
     }
 
@@ -25,6 +36,11 @@ if ($user->isAuthenticated()) {
     $smarty->assign('NOTIFICATIONS', $aNotifications);
     $smarty->assign('SETTINGS', $aSettings);
     $smarty->assign('CONTENT', 'default.tpl');
+    // csrf token
+    if ($csrfenabled) {
+      $token = $csrftoken->getBasic($user->getCurrentIP(), 'editnotifs', 'mdyH');
+      $smarty->assign('CTOKEN', $token);
+    }
   }
 }
 ?>
diff --git a/public/include/pages/account/workers.inc.php b/public/include/pages/account/workers.inc.php
index 3ccacfd3..23068959 100644
--- a/public/include/pages/account/workers.inc.php
+++ b/public/include/pages/account/workers.inc.php
@@ -3,6 +3,12 @@
 if (!defined('SECURITY')) die('Hacking attempt');
 
 if ($user->isAuthenticated()) {
+  // csrf stuff
+  $csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
+  if ($csrfenabled) {
+    $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'workers', 'mdyH') == @$_POST['ctoken']) ? 1 : 0;
+  }
+  
   switch (@$_REQUEST['do']) {
   case 'delete':
     if ($worker->deleteWorker($_SESSION['USERDATA']['id'], $_GET['id'])) {
@@ -12,17 +18,27 @@ if ($user->isAuthenticated()) {
     }
     break;
   case 'add':
-    if ($worker->addWorker($_SESSION['USERDATA']['id'], $_POST['username'], $_POST['password'])) {
-      $_SESSION['POPUP'][] = array('CONTENT' => 'Worker added', 'TYPE' => 'success');
+    if (!$csrfenabled || $csrfenabled && $nocsrf) {
+      if ($worker->addWorker($_SESSION['USERDATA']['id'], $_POST['username'], $_POST['password'])) {
+        $_SESSION['POPUP'][] = array('CONTENT' => 'Worker added', 'TYPE' => 'success');
+      } else {
+        $_SESSION['POPUP'][] = array('CONTENT' => $worker->getError(), 'TYPE' => 'errormsg');
+      }
     } else {
-      $_SESSION['POPUP'][] = array('CONTENT' => $worker->getError(), 'TYPE' => 'errormsg');
+      $img = $csrftoken->getDescriptionImageHTML();
+      $_SESSION['POPUP'][] = array('CONTENT' => "Worker token expired, please try again $img", 'TYPE' => 'info');
     }
     break;
   case 'update':
-    if ($worker->updateWorkers($_SESSION['USERDATA']['id'], @$_POST['data'])) {
-      $_SESSION['POPUP'][] = array('CONTENT' => 'Worker updated', 'TYPE' => 'success');
+    if (!$csrfenabled || $csrfenabled && $nocsrf) {
+      if ($worker->updateWorkers($_SESSION['USERDATA']['id'], @$_POST['data'])) {
+        $_SESSION['POPUP'][] = array('CONTENT' => 'Worker updated', 'TYPE' => 'success');
+      } else {
+        $_SESSION['POPUP'][] = array('CONTENT' => $worker->getError(), 'TYPE' => 'errormsg');
+      }
     } else {
-      $_SESSION['POPUP'][] = array('CONTENT' => $worker->getError(), 'TYPE' => 'errormsg');
+      $img = $csrftoken->getDescriptionImageHTML();
+      $_SESSION['POPUP'][] = array('CONTENT' => "Worker token expired, please try again $img", 'TYPE' => 'info');
     }
     break;
   }
@@ -34,5 +50,9 @@ if ($user->isAuthenticated()) {
 }
 
 $smarty->assign('CONTENT', 'default.tpl');
-
+// csrf token
+if ($csrfenabled) {
+  $token = $csrftoken->getBasic($user->getCurrentIP(), 'workers', 'mdyH');
+  $smarty->assign('CTOKEN', $token);
+}
 ?>
diff --git a/public/include/pages/contactform/contactform.inc.php b/public/include/pages/contactform/contactform.inc.php
index 5fadba39..7e0a3106 100644
--- a/public/include/pages/contactform/contactform.inc.php
+++ b/public/include/pages/contactform/contactform.inc.php
@@ -16,8 +16,9 @@ if ($setting->getValue('recaptcha_enabled')) {
 }
 
 // csrf if enabled
-if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
-  $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'contact', 'mdyH') == $_POST['ctoken']) ? 1 : 0;
+$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
+if ($csrfenabled) {
+  $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'invitations', 'mdyH') == @$_POST['ctoken']) ? 1 : 0;
 }
 
 if ($setting->getValue('disable_contactform')) {
@@ -29,11 +30,10 @@ if ($setting->getValue('disable_contactform')) {
     // Check if recaptcha is enabled, process form data if valid
     if ($rsp->is_valid) {
       // Check if csrf is enabled and fail if token is invalid
-      if (!$nocsrf && $config['csrf']['enabled'] && $config['csrf']['forms']['register']) {
+      if (!$nocsrf && $csrfenabled) {
         $img = $csrftoken->getDescriptionImageHTML();
         $_SESSION['POPUP'][] = array('CONTENT' => "Contact token expired, please try again $img", 'TYPE' => 'info');
       } else {
-        // csrf is valid or disabled, send
         $smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key')));
         if ($mail->contactform($_POST['senderName'], $_POST['senderEmail'], $_POST['senderSubject'], $_POST['senderMessage'])) {
           $_SESSION['POPUP'][] = array('CONTENT' => 'Thanks for sending your message! We will get back to you shortly');
@@ -52,7 +52,7 @@ if ($setting->getValue('disable_contactform')) {
     // Captcha disabled
   } else {
     // Check if csrf is enabled and fail if token is invalid
-    if (!$nocsrf && $config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
+    if (!$nocsrf && $csrfenabled) {
       $img = $csrftoken->getDescriptionImageHTML();
       $_SESSION['POPUP'][] = array('CONTENT' => "Contact token expired, please try again $img", 'TYPE' => 'info');
     } else if ($mail->contactform($_POST['senderName'], $_POST['senderEmail'], $_POST['senderSubject'], $_POST['senderMessage'])) {
diff --git a/public/include/pages/login.inc.php b/public/include/pages/login.inc.php
index 57005c7d..b7590abd 100644
--- a/public/include/pages/login.inc.php
+++ b/public/include/pages/login.inc.php
@@ -3,6 +3,12 @@
 // Make sure we are called from index.php
 if (!defined('SECURITY')) die('Hacking attempt');
 
+// csrf if enabled
+$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['forms']['login']) ? 1 : 0;
+if ($csrfenabled) {
+  $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'login') == @$_POST['ctoken']) ? 1 : 0;
+}
+
 // ReCaptcha handling if enabled
 if ($setting->getValue('recaptcha_enabled') && $setting->getValue('recaptcha_enabled_logins')) {
   require_once(INCLUDE_DIR . '/lib/recaptchalib.php');
@@ -21,11 +27,6 @@ if ($setting->getValue('recaptcha_enabled') && $setting->getValue('recaptcha_ena
   }
 }
 
-// csrf if enabled
-if ($config['csrf']['enabled'] && $config['csrf']['forms']['login']) {
-  $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'login') == @$_POST['ctoken']) ? 1 : 0;
-}
-
 if ($setting->getValue('maintenance') && !$user->isAdmin($user->getUserId($_POST['username']))) {
   $_SESSION['POPUP'][] = array('CONTENT' => 'You are not allowed to login during maintenace.', 'TYPE' => 'info');
 } else if (!empty($_POST['username']) && !empty($_POST['password'])) {
@@ -57,12 +58,15 @@ if ($setting->getValue('maintenance') && !$user->isAdmin($user->getUserId($_POST
     } else {
       $_SESSION['POPUP'][] = array('CONTENT' => 'Unable to login: '. $user->getError(), 'TYPE' => 'errormsg');
     }
+  } else {
+    $img = $csrftoken->getDescriptionImageHTML();
+    $_SESSION['POPUP'][] = array('CONTENT' => "Login token expired, please try again $img", 'TYPE' => 'info');
   }
 }
 // Load login template
 $smarty->assign('CONTENT', 'default.tpl');
 // csrf token
-if ($config['csrf']['enabled'] && $config['csrf']['forms']['login']) {
+if ($csrfenabled) {
   $token = $csrftoken->getBasic($user->getCurrentIP(), 'login');
   $smarty->assign('CTOKEN', $token);
 }
diff --git a/public/include/pages/register.inc.php b/public/include/pages/register.inc.php
index 4ae62a6a..2be0e636 100644
--- a/public/include/pages/register.inc.php
+++ b/public/include/pages/register.inc.php
@@ -17,7 +17,7 @@ if ($setting->getValue('lock_registration') && $setting->getValue('disable_invit
   // Load news entries for Desktop site and unauthenticated users
   $smarty->assign("CONTENT", "default.tpl");
   // csrf token
-  if ($config['csrf']['enabled'] && $config['csrf']['forms']['register']) {
+  if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
     $token = $csrftoken->getBasic($user->getCurrentIP(), 'register', 'mdyH');
     $smarty->assign('CTOKEN', $token);
   }
diff --git a/public/include/pages/register/register.inc.php b/public/include/pages/register/register.inc.php
index cb262546..deca410d 100644
--- a/public/include/pages/register/register.inc.php
+++ b/public/include/pages/register/register.inc.php
@@ -18,7 +18,8 @@ if ($setting->getValue('recaptcha_enabled') && $setting->getValue('recaptcha_ena
 }
 
 // csrf if enabled
-if ($config['csrf']['enabled'] && $config['csrf']['forms']['register']) {
+$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
+if ($csrfenabled) {
   $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'register', 'mdyH') == $_POST['ctoken']) ? 1 : 0;
 }
 
@@ -28,24 +29,26 @@ if ($setting->getValue('disable_invitations') && $setting->getValue('lock_regist
   $_SESSION['POPUP'][] = array('CONTENT' => 'Only invited users are allowed to register.', 'TYPE' => 'errormsg');
 } else {
   // Check if csrf is enabled and fail if token is invalid
-  if (!$nocsrf && $config['csrf']['enabled'] && $config['csrf']['forms']['register']) {
+  if (!$csrfenabled || $csrfenabled && $nocsrf) {
+    if ($setting->getValue('recaptcha_enabled') != 1 || $setting->getValue('recaptcha_enabled_registrations') != 1 || $rsp->is_valid) {
+      // Check if recaptcha is enabled, process form data if valid or disabled
+      isset($_POST['token']) ? $token = $_POST['token'] : $token = '';
+      if ($user->register(@$_POST['username'], @$_POST['password1'], @$_POST['password2'], @$_POST['pin'], @$_POST['email1'], @$_POST['email2'], @$_POST['tac'], $token)) {
+        ! $setting->getValue('accounts_confirm_email_disabled') ? $_SESSION['POPUP'][] = array('CONTENT' => 'Please check your mailbox to activate this account') : $_SESSION['POPUP'][] = array('CONTENT' => 'Account created, please login');
+      } else {
+        $_SESSION['POPUP'][] = array('CONTENT' => 'Unable to create account: ' . $user->getError(), 'TYPE' => 'errormsg');
+      }
+    }
+  } else {
     $img = $csrftoken->getDescriptionImageHTML('register');
     $_SESSION['POPUP'][] = array('CONTENT' => "Register token expired, please try again $img", 'TYPE' => 'info');
-  } else if ($setting->getValue('recaptcha_enabled') != 1 || $setting->getValue('recaptcha_enabled_registrations') != 1 || $rsp->is_valid) {
-    // Check if recaptcha is enabled, process form data if valid or disabled
-    isset($_POST['token']) ? $token = $_POST['token'] : $token = '';
-    if ($user->register(@$_POST['username'], @$_POST['password1'], @$_POST['password2'], @$_POST['pin'], @$_POST['email1'], @$_POST['email2'], @$_POST['tac'], $token)) {
-      ! $setting->getValue('accounts_confirm_email_disabled') ? $_SESSION['POPUP'][] = array('CONTENT' => 'Please check your mailbox to activate this account') : $_SESSION['POPUP'][] = array('CONTENT' => 'Account created, please login');
-    } else {
-      $_SESSION['POPUP'][] = array('CONTENT' => 'Unable to create account: ' . $user->getError(), 'TYPE' => 'errormsg');
-    }
   }
 }
 
 // We load the default registration template instead of an action specific one
 $smarty->assign("CONTENT", "../default.tpl");
 // csrf token
-if ($config['csrf']['enabled'] && $config['csrf']['forms']['register']) {
+if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
   $token = $csrftoken->getBasic($user->getCurrentIP(), 'register', 'mdyH');
   $smarty->assign('CTOKEN', $token);
 }
diff --git a/public/templates/mail/notifications/success_login.tpl b/public/templates/mail/notifications/success_login.tpl
index df92934b..e1a07bac 100644
--- a/public/templates/mail/notifications/success_login.tpl
+++ b/public/templates/mail/notifications/success_login.tpl
@@ -1,6 +1,9 @@
 <html>
 <body>
 <p>Your account has successfully logged in</p>
+<p>User: {$LOGINUSER}</p>
+<p>IP: {$LOGINIP}</p>
+<p>Time: {$LOGINTIME}</p>
 <p>If you initiated this login, you can ignore this message. If you did NOT, please notify an administrator.</p>
 <br/>
 <br/>
diff --git a/public/templates/mpos/account/invitations/default.tpl b/public/templates/mpos/account/invitations/default.tpl
index bea7df13..59615fff 100644
--- a/public/templates/mpos/account/invitations/default.tpl
+++ b/public/templates/mpos/account/invitations/default.tpl
@@ -2,6 +2,7 @@
   <input type="hidden" name="page" value="{$smarty.request.page|escape}">
   <input type="hidden" name="action" value="{$smarty.request.action|escape}">
   <input type="hidden" name="do" value="sendInvitation">
+  {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
   <article class="module width_quarter">
     <header><h3>Invitation</h3></header>
     <div class="module_content">
diff --git a/public/templates/mpos/account/notifications/default.tpl b/public/templates/mpos/account/notifications/default.tpl
index b0003f6a..8c0c56e1 100644
--- a/public/templates/mpos/account/notifications/default.tpl
+++ b/public/templates/mpos/account/notifications/default.tpl
@@ -2,6 +2,7 @@
   <input type="hidden" name="page" value="{$smarty.request.page|escape}">
   <input type="hidden" name="action" value="{$smarty.request.action|escape}">
   <input type="hidden" name="do" value="save">
+  {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
   <article class="module width_quarter">
     <header>
       <h3>Notification Settings</h3>
diff --git a/public/templates/mpos/account/workers/default.tpl b/public/templates/mpos/account/workers/default.tpl
index 31df5fa0..5682acd0 100644
--- a/public/templates/mpos/account/workers/default.tpl
+++ b/public/templates/mpos/account/workers/default.tpl
@@ -4,6 +4,7 @@
     <input type="hidden" name="page" value="{$smarty.request.page|escape}">
     <input type="hidden" name="action" value="{$smarty.request.action|escape}">
     <input type="hidden" name="do" value="add">
+    {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
     <div class="module_content">
       <fieldset>
         <label>Worker Name</label>
@@ -29,6 +30,7 @@
     <input type="hidden" name="page" value="{$smarty.request.page|escape}">
     <input type="hidden" name="action" value="{$smarty.request.action|escape}">
     <input type="hidden" name="do" value="update">
+    {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
     <table class="tablesorter" cellspacing="0">
       <thead>
         <tr>
diff --git a/public/templates/mpos/register/default.tpl b/public/templates/mpos/register/default.tpl
index 9a0fa15f..4c83640b 100644
--- a/public/templates/mpos/register/default.tpl
+++ b/public/templates/mpos/register/default.tpl
@@ -7,7 +7,7 @@
 {if $smarty.request.token|default:""}
     <input type="hidden" name="token" value="{$smarty.request.token|escape}" />
 {/if}
-{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.forms.register}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
     <input type="hidden" name="action" value="register">
     <fieldset>
       <label>Username</label>