Merge branch 'next'

2014-01-25 17:35:13 -05:00 · 2014-01-25 17:35:13 -05:00 · ff0915a5c4
commit ff0915a5c4
parent b6eb348d42 643c21d3a7
38 changed files with 117 additions and 223 deletions
--- a/cronjobs/blockupdate.php
+++ b/cronjobs/blockupdate.php
@ -33,8 +33,9 @@ if ( $bitcoin->can_connect() !== true ) {
 // Fetch all unconfirmed blocks
 $aAllBlocks = $block->getAllUnconfirmed(max($config['network_confirmations'],$config['confirmations']));
-$log->logInfo("ID\tHeight\tBlockhash\tConfirmations");
+$header = false;
 foreach ($aAllBlocks as $iIndex => $aBlock) {
  !$header ? $log->logInfo("ID\tHeight\tBlockhash\tConfirmations") : $header = true;
  $aBlockInfo = $bitcoin->getblock($aBlock['blockhash']);
  // Fetch this blocks transaction details to find orphan blocks
  $aTxDetails = $bitcoin->gettransaction($aBlockInfo['tx'][0]);
--- a/cronjobs/findblock.php
+++ b/cronjobs/findblock.php
@ -42,12 +42,13 @@ if ( $bitcoin->can_connect() === true ){
 if (empty($aTransactions['transactions'])) {
  $log->logDebug('No new RPC transactions since last block');
 } else {
-  // Table header
+  $header = false;
  $log->logInfo("Blockhash\t\tHeight\tAmount\tConfirmations\tDiff\t\tTime");
  // Let us add those blocks as unaccounted
  foreach ($aTransactions['transactions'] as $iIndex => $aData) {
    if ( $aData['category'] == 'generate' || $aData['category'] == 'immature' ) {
      // Table header, printe once if we found a block
      !$header ? $log->logInfo("Blockhash\t\tHeight\tAmount\tConfirmations\tDiff\t\tTime") : $header = true;
      $aBlockRPCInfo = $bitcoin->getblock($aData['blockhash']);
      $config['reward_type'] == 'block' ? $aData['amount'] = $aData['amount'] : $aData['amount'] = $config['reward'];
      $aData['height'] = $aBlockRPCInfo['height'];
--- a/cronjobs/notifications.php
+++ b/cronjobs/notifications.php
@ -33,9 +33,9 @@ $log->logDebug("  IDLE Worker Notifications ...");
 // Find all IDLE workers
 $aWorkers = $worker->getAllIdleWorkers();
 if (empty($aWorkers)) {
-  $log->logDebug(" no idle workers found\n");
+  $log->logDebug(" no idle workers found");
 } else {
-  $log->logInfo(" found " . count($aWorkers) . " IDLE workers\n");
+  $log->logInfo(" found " . count($aWorkers) . " IDLE workers");
  foreach ($aWorkers as $aWorker) {
    $aData = $aWorker;
    $aData['username'] = $user->getUserName($aWorker['account_id']);
@ -44,7 +44,7 @@ if (empty($aWorkers)) {
    $aData['email'] = $user->getUserEmail($aData['username']);
    $log->logDebug("    " . $aWorker['username'] . "...");
    if (!$notification->sendNotification($aWorker['account_id'], 'idle_worker', $aData))
-      $log->logDebug("    Failed sending notifications: " . $notification->getCronError() . "\n");
+      $log->logDebug("    Failed sending notifications: " . $notification->getCronError());
  }
 }
@ -53,23 +53,23 @@ $log->logDebug("  Reset IDLE Worker Notifications ...");
 // We notified, lets check which recovered
 $aNotifications = $notification->getAllActive('idle_worker');
 if (!empty($aNotifications)) {
-  $log->logInfo(" found " . count($aNotifications) . " active notification(s)\n");
+  $log->logInfo(" found " . count($aNotifications) . " active notification(s)");
  foreach ($aNotifications as $aNotification) {
    $aData = json_decode($aNotification['data'], true);
    $aWorker = $worker->getWorker($aData['id']);
    $log->logDebug("    " . $aWorker['username'] . " ...");
    if ($aWorker['hashrate'] > 0) {
      if ($notification->setInactive($aNotification['id'])) {
-        $log->logDebug(" updated #" . $aNotification['id'] . " for " . $aWorker['username'] . " as inactive\n");
+        $log->logDebug(" updated #" . $aNotification['id'] . " for " . $aWorker['username'] . " as inactive");
      } else {
-        $log->logError(" failed to update #" . $aNotification['id'] . " for " . $aWorker['username'] . "\n");
+        $log->logError(" failed to update #" . $aNotification['id'] . " for " . $aWorker['username']);
      }
    } else {
-      $log->logDebug(" still inactive\n");
+      $log->logDebug(" still inactive");
    }
  }
 } else {
-  $log->logDebug(" no active IDLE worker notifications\n");
+  $log->logDebug(" no active IDLE worker notifications");
 }
 require_once('cron_end.inc.php');
--- a/cronjobs/proportional_payout.php
+++ b/cronjobs/proportional_payout.php
@ -72,6 +72,10 @@ foreach ($aAllBlocks as $iIndex => $aBlock) {
    // Loop through all accounts that have found shares for this round
    foreach ($aAccountShares as $key => $aData) {
      // Skip users with only invalids
      if ($aData['valid'] == 0) {
        continue;
      }
      // Skip entries that have no account ID, user deleted?
      if (empty($aData['id'])) {
        $log->logInfo('User ' . $aData['username'] . ' does not have an associated account, skipping');
--- a/public/include/classes/csrftoken.class.php
+++ b/public/include/classes/csrftoken.class.php
@ -4,6 +4,7 @@
 if (!defined('SECURITY')) die('Hacking attempt');
 class CSRFToken Extends Base {
  public $valid = 0;
  /**
   * Gets a basic csrf token
   * @param string $user user or IP/host address
--- a/public/include/classes/notification.class.php
+++ b/public/include/classes/notification.class.php
@ -148,7 +148,7 @@ class Notification extends Mail {
      }
    } else {
      $this->setErrorMessage('User disabled ' . $strType . ' notifications');
-      return false;
+      return true;
    }
    $this->setErrorMessage('Error sending mail notification');
    return false;
--- a/public/include/config/error_codes.inc.php
+++ b/public/include/config/error_codes.inc.php
@ -75,4 +75,5 @@ $aErrorCodes['E0074'] = 'Failed deleting expired tokens';
 $aErrorCodes['E0075'] = 'Upgrade required';
 $aErrorCodes['E0076'] = 'No coins in wallet available';
 $aErrorCodes['E0077'] = 'RPC method or connection failed';
 $aErrorCodes['E0078'] = 'RPC method did not return 200 OK';
 ?>
--- a/public/include/config/global.inc.dist.php
+++ b/public/include/config/global.inc.dist.php
@ -126,7 +126,7 @@ $config['twofactor']['options']['withdraw'] = true;
 $config['twofactor']['options']['changepw'] = true;
 /**
- * CSRF protection config
+ * CSRF protection
 *
 * Explanation:
 *   To help protect against CSRF, we can generate a hash that changes every minute
@ -134,15 +134,11 @@ $config['twofactor']['options']['changepw'] = true;
 *   form is submitted.
 *
 * Options:
- *   enabled          =   Whether or not we will generate/check for valid CSRF tokens
+ *   enabled          =   Whether or not we will generate & check for valid CSRF tokens
 *   disabled_forms   =   Which forms you want to disable csrf protection on, if enabled
 *                         * Valid options  :  login, contact, accountedit, workers, notifications, invite, register, passreset, unlockaccount
 * Default:
 *   enabled          =   true
 *   disabled_forms   =   array();
 */
 $config['csrf']['enabled'] = true;
 $config['csrf']['disabled_forms'] = array();
 /**
 * Lock account after maximum failed logins
--- a/public/include/pages/account/edit.inc.php
+++ b/public/include/pages/account/edit.inc.php
@ -13,12 +13,6 @@ $oldtoken_cp = (isset($_POST['cp_token']) && $_POST['cp_token'] !== '') ? $_POST
 $oldtoken_wf = (isset($_POST['wf_token']) && $_POST['wf_token'] !== '') ? $_POST['wf_token'] : @$_GET['wf_token'];
 $updating = (@$_POST['do']) ? 1 : 0;
 // csrf stuff 
 $csrfenabled = ($config['csrf']['enabled'] && !in_array('accountedit', $config['csrf']['disabled_forms'])) ? 1 : 0;
 if ($csrfenabled) {
  $nocsrf = ($csrftoken->checkBasic($user->getCurrentIP(), 'editaccount', @$_POST['ctoken'])) ? 1 : 0;
 }
 if ($user->isAuthenticated()) {
  if ($config['twofactor']['enabled']) {
    $popupmsg = 'E-mail confirmations are required for ';
@ -70,7 +64,7 @@ if ($user->isAuthenticated()) {
  }
  if (isset($_POST['do']) && $_POST['do'] == 'genPin') {
-    if (!$csrfenabled || $csrfenabled && $nocsrf) {
+    if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
      if ($user->generatePin($_SESSION['USERDATA']['id'], $_POST['currentPassword'])) {
        $_SESSION['POPUP'][] = array('CONTENT' => 'Your PIN # has been sent to your email.', 'TYPE' => 'success');
      } else {
@ -89,7 +83,7 @@ if ($user->isAuthenticated()) {
        $isvalid = in_array($_POST['utype'],$validtypes);
        if ($isvalid) {
          $ctype = strip_tags($_POST['utype']);
-          if (!$csrfenabled || $csrfenabled && $nocsrf) {
+          if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
            $send = $user->sendChangeConfigEmail($ctype, $_SESSION['USERDATA']['id']);
            if ($send) {
              $_SESSION['POPUP'][] = array('CONTENT' => 'A confirmation was sent to your e-mail, follow that link to continue', 'TYPE' => 'success');
@ -110,7 +104,7 @@ if ($user->isAuthenticated()) {
        	  $dBalance = $aBalance['confirmed'];
        	  if ($dBalance > $config['txfee_manual']) {
        	    if (!$oPayout->isPayoutActive($_SESSION['USERDATA']['id'])) {
-        	      if (!$csrfenabled || $csrfenabled && $nocsrf) {
+        	      if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
        	        if ($iPayoutId = $oPayout->createPayout($_SESSION['USERDATA']['id'], $oldtoken_wf)) {
        	          $_SESSION['POPUP'][] = array('CONTENT' => 'Created new manual payout request with ID #' . $iPayoutId);
        	        } else {
@ -129,7 +123,7 @@ if ($user->isAuthenticated()) {
        	break;
          case 'updateAccount':
-            if (!$csrfenabled || $csrfenabled && $nocsrf) {
+            if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
              if ($user->updateAccount($_SESSION['USERDATA']['id'], $_POST['paymentAddress'], $_POST['payoutThreshold'], $_POST['donatePercent'], $_POST['email'], $_POST['is_anonymous'], $oldtoken_ea)) {
            	$_SESSION['POPUP'][] = array('CONTENT' => 'Account details updated', 'TYPE' => 'success');
              } else {
@ -141,7 +135,7 @@ if ($user->isAuthenticated()) {
        	break;
          case 'updatePassword':
-            if (!$csrfenabled || $csrfenabled && $nocsrf) {
+            if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
              if ($user->updatePassword($_SESSION['USERDATA']['id'], $_POST['currentPassword'], $_POST['newPassword'], $_POST['newPassword2'], $oldtoken_cp)) {
                $_SESSION['POPUP'][] = array('CONTENT' => 'Password updated', 'TYPE' => 'success');
              } else {
@ -185,8 +179,7 @@ if ($user->isAuthenticated() && $config['twofactor']['enabled']) {
  (!empty($cpprep_sent) && !empty($cpprep_edit)) ? $_SESSION['POPUP'][] = array('CONTENT' => $cpprep_sent, 'TYPE' => 'success'):"";
  (!empty($cpprep_sent) && empty($cpprep_edit)) ? $_SESSION['POPUP'][] = array('CONTENT' => $message_tokensent_invalid.$messages_tokensent_status['cp'], 'TYPE' => 'success'):"";
 }
-
+// two-factor stuff
 // csrf stuff
 $smarty->assign("CHANGEPASSUNLOCKED", $cp_editable);
 $smarty->assign("WITHDRAWUNLOCKED", $wf_editable);
 $smarty->assign("DETAILSUNLOCKED", $ea_editable);
@ -194,10 +187,7 @@ $smarty->assign("CHANGEPASSSENT", $cp_sent);
 $smarty->assign("WITHDRAWSENT", $wf_sent);
 $smarty->assign("DETAILSSENT", $ea_sent);
 $smarty->assign("DONATE_THRESHOLD", $config['donate_threshold']);
-if ($csrfenabled && !in_array('accountedit', $config['csrf']['disabled_forms'])) {
+
  $token = $csrftoken->getBasic($user->getCurrentIP(), 'editaccount');
  $smarty->assign('CTOKEN', $token);
 }
 // Tempalte specifics
 $smarty->assign("CONTENT", "default.tpl");
 ?>
--- a/public/include/pages/account/invitations.inc.php
+++ b/public/include/pages/account/invitations.inc.php
@ -5,15 +5,10 @@ if (!defined('SECURITY')) die('Hacking attempt');
 if ($user->isAuthenticated()) {
  if (!$setting->getValue('disable_invitations')) {
    // csrf stuff
    $csrfenabled = ($config['csrf']['enabled'] && !in_array('invitations', $config['csrf']['disabled_forms'])) ? 1 : 0;
    if ($csrfenabled) {
      $nocsrf = ($csrftoken->checkBasic($user->getCurrentIP(), 'invitations', @$_POST['ctoken'])) ? 1 : 0;
    }
    if ($invitation->getCountInvitations($_SESSION['USERDATA']['id']) >= $config['accounts']['invitations']['count']) {
      $_SESSION['POPUP'][] = array('CONTENT' => 'You have exceeded the allowed invitations of ' . $config['accounts']['invitations']['count'], 'TYPE' => 'errormsg');
    } else if (isset($_POST['do']) && $_POST['do'] == 'sendInvitation') {
-      if (!$csrfenabled || $csrfenabled && $nocsrf) {
+      if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
        if ($invitation->sendInvitation($_SESSION['USERDATA']['id'], $_POST['data'])) {
          $_SESSION['POPUP'][] = array('CONTENT' => 'Invitation sent', 'TYPE' => 'success');
        } else {
@ -30,10 +25,5 @@ if ($user->isAuthenticated()) {
    $_SESSION['POPUP'][] = array('CONTENT' => 'Invitations are disabled', 'TYPE' => 'errormsg');
  }
 }
 // csrf token
 if ($csrfenabled && !in_array('invitations', $config['csrf']['disabled_forms'])) {
  $token = $csrftoken->getBasic($user->getCurrentIP(), 'invitations');
  $smarty->assign('CTOKEN', $token);
 }
 $smarty->assign('CONTENT', 'default.tpl');
 ?>
--- a/public/include/pages/account/notifications.inc.php
+++ b/public/include/pages/account/notifications.inc.php
@ -7,14 +7,8 @@ if ($user->isAuthenticated()) {
    $_SESSION['POPUP'][] = array('CONTENT' => 'Notification system disabled by admin.', 'TYPE' => 'info');
    $smarty->assign('CONTENT', 'empty');
  } else {
    // csrf stuff
    $csrfenabled = ($config['csrf']['enabled'] && !in_array('notifications', $config['csrf']['disabled_forms'])) ? 1 : 0;
    if ($csrfenabled) {
      $nocsrf = ($csrftoken->checkBasic($user->getCurrentIP(), 'editnotifs', @$_POST['ctoken'])) ? 1 : 0;
    }
    if (@$_REQUEST['do'] == 'save') {
-      if (!$csrfenabled || $csrfenabled && $nocsrf) {
+      if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
        if ($notification->updateSettings($_SESSION['USERDATA']['id'], $_REQUEST['data'])) {
          $_SESSION['POPUP'][] = array('CONTENT' => 'Updated notification settings', 'TYPE' => 'success');
        } else {
@ -31,15 +25,11 @@ if ($user->isAuthenticated()) {
    // Fetch user notification settings
    $aSettings = $notification->getNotificationSettings($_SESSION['USERDATA']['id']);
-
+    
    // csrf token
    if ($csrfenabled && !in_array('notifications', $config['csrf']['disabled_forms'])) {
      $token = $csrftoken->getBasic($user->getCurrentIP(), 'editnotifs');
      $smarty->assign('CTOKEN', $token);
    }
    $smarty->assign('NOTIFICATIONS', $aNotifications);
    $smarty->assign('SETTINGS', $aSettings);
    $smarty->assign('CONTENT', 'default.tpl');
  }
 }
-?>
+
 ?>
--- a/public/include/pages/account/unlock.inc.php
+++ b/public/include/pages/account/unlock.inc.php
@ -3,19 +3,13 @@
 // Make sure we are called from index.php
 if (!defined('SECURITY')) die('Hacking attempt');
 // csrf stuff
 $csrfenabled = ($config['csrf']['enabled'] && !in_array('unlockaccount', $config['csrf']['disabled_forms'])) ? 1 : 0;
 if ($csrfenabled) {
  $nocsrf = ($csrftoken->checkBasic($user->getCurrentIP(), 'unlockaccount', @$_POST['ctoken'])) ? 1 : 0;
 }
 // Confirm an account by token
 if (!isset($_GET['token']) || empty($_GET['token'])) {
  $_SESSION['POPUP'][] = array('CONTENT' => 'Missing token', 'TYPE' => 'errormsg');
 } else if (!$aToken = $oToken->getToken($_GET['token'], 'account_unlock')) {
  $_SESSION['POPUP'][] = array('CONTENT' => 'Unable to re-activate your account. Invalid token.', 'TYPE' => 'errormsg');
 } else {
-  if (!$csrfenabled || $csrfenabled && !$nocsrf) {
+  if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
    if ($user->setUserFailed($aToken['account_id'], 0) && $user->setUserPinFailed($aToken['account_id'], 0) && $user->changeLocked($aToken['account_id'])) {
      $oToken->deleteToken($aToken['token']);
      $_SESSION['POPUP'][] = array('CONTENT' => 'Account re-activated. Please login.');
@ -26,10 +20,6 @@ if (!isset($_GET['token']) || empty($_GET['token'])) {
    $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
  }
 }
 // csrf token
 if ($csrfenabled && !in_array('unlockaccount', $config['csrf']['disabled_forms'])) {
  $token = $csrftoken->getBasic($user->getCurrentIP(), 'unlockaccount');
  $smarty->assign('CTOKEN', $token);
 }
 $smarty->assign('CONTENT', 'default.tpl');
-?>
+
 ?>
--- a/public/include/pages/account/workers.inc.php
+++ b/public/include/pages/account/workers.inc.php
@ -3,22 +3,21 @@
 if (!defined('SECURITY')) die('Hacking attempt');
 if ($user->isAuthenticated()) {
  // csrf stuff
  $csrfenabled = ($config['csrf']['enabled'] && !in_array('workers', $config['csrf']['disabled_forms'])) ? 1 : 0;
  if ($csrfenabled) {
    $nocsrf = ($csrftoken->checkBasic($user->getCurrentIP(), 'workers', @$_POST['ctoken'])) ? 1 : 0;
  }
  switch (@$_REQUEST['do']) {
  case 'delete':
-    if ($worker->deleteWorker($_SESSION['USERDATA']['id'], $_GET['id'])) {
+    if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
-      $_SESSION['POPUP'][] = array('CONTENT' => 'Worker removed', 'TYPE' => 'success');
+      if ($worker->deleteWorker($_SESSION['USERDATA']['id'], $_GET['id'])) {
        $_SESSION['POPUP'][] = array('CONTENT' => 'Worker removed', 'TYPE' => 'success');
      } else {
        $_SESSION['POPUP'][] = array('CONTENT' => $worker->getError(), 'TYPE' => 'errormsg');
      }
    } else {
-      $_SESSION['POPUP'][] = array('CONTENT' => $worker->getError(), 'TYPE' => 'errormsg');
+      $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
    }
    break;
  case 'add':
-    if (!$csrfenabled || $csrfenabled && $nocsrf) {
+    if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
      if ($worker->addWorker($_SESSION['USERDATA']['id'], $_POST['username'], $_POST['password'])) {
        $_SESSION['POPUP'][] = array('CONTENT' => 'Worker added', 'TYPE' => 'success');
      } else {
@ -28,8 +27,9 @@ if ($user->isAuthenticated()) {
      $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
    }
    break;
  case 'update':
-    if (!$csrfenabled || $csrfenabled && $nocsrf) {
+    if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
      if ($worker->updateWorkers($_SESSION['USERDATA']['id'], @$_POST['data'])) {
        $_SESSION['POPUP'][] = array('CONTENT' => 'Worker updated', 'TYPE' => 'success');
      } else {
@ -46,10 +46,6 @@ if ($user->isAuthenticated()) {
  $smarty->assign('WORKERS', $aWorkers);
 }
 // csrf token
 if ($csrfenabled && !in_array('workers', $config['csrf']['disabled_forms'])) {
  $token = $csrftoken->getBasic($user->getCurrentIP(), 'workers');
  $smarty->assign('CTOKEN', $token);
 }
 $smarty->assign('CONTENT', 'default.tpl');
-?>
+
 ?>
--- a/public/include/pages/contactform.inc.php
+++ b/public/include/pages/contactform.inc.php
@ -14,11 +14,6 @@ if ($setting->getValue('disable_contactform')) {
    require_once(INCLUDE_DIR . '/lib/recaptchalib.php');
    $smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key')));
  }
  // csrf token
  if ($config['csrf']['enabled'] && !in_array('contact', $config['csrf']['disabled_forms'])) {
    $token = $csrftoken->getBasic($user->getCurrentIP(), 'contact');
    $smarty->assign('CTOKEN', $token);
  }
  // Tempalte specifics
  $smarty->assign("CONTENT", "default.tpl");
 }
--- a/public/include/pages/contactform/contactform.inc.php
+++ b/public/include/pages/contactform/contactform.inc.php
@ -14,12 +14,6 @@ if ($setting->getValue('recaptcha_enabled')) {
  );
 }
 // csrf if enabled
 $csrfenabled = ($config['csrf']['enabled'] && !in_array('contact', $config['csrf']['disabled_forms'])) ? 1 : 0;
 if ($csrfenabled) {
  $nocsrf = ($csrftoken->checkBasic($user->getCurrentIP(), 'contact', @$_POST['ctoken'])) ? 1 : 0;
 }
 if ($setting->getValue('disable_contactform')) {
  $_SESSION['POPUP'][] = array('CONTENT' => 'Contactform is currently disabled. Please try again later.', 'TYPE' => 'errormsg');
 } else if ($setting->getValue('disable_contactform') && !$user->isAuthenticated(false)) {
@ -29,7 +23,7 @@ if ($setting->getValue('disable_contactform')) {
    // Check if recaptcha is enabled, process form data if valid
    if ($rsp->is_valid) {
      // Check if csrf is enabled and fail if token is invalid
-      if (!$nocsrf && $csrfenabled) {
+      if ($config['csrf']['enabled'] && $csrftoken->valid) {
        $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
      } else {
        $smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key')));
@ -50,7 +44,7 @@ if ($setting->getValue('disable_contactform')) {
    // Captcha disabled
  } else {
    // Check if csrf is enabled and fail if token is invalid
-    if (!$nocsrf && $csrfenabled) {
+    if ($config['csrf']['enabled'] && !$csrftoken->valid) {
      $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
    } else if ($mail->contactform($_POST['senderName'], $_POST['senderEmail'], $_POST['senderSubject'], $_POST['senderMessage'])) {
      $_SESSION['POPUP'][] = array('CONTENT' => 'Thanks for sending your message! We will get back to you shortly');
@ -60,11 +54,7 @@ if ($setting->getValue('disable_contactform')) {
  }
 }
 // csrf token
 if ($config['csrf']['enabled'] && !in_array('contact', $config['csrf']['disabled_forms'])) {
  $token = $csrftoken->getBasic($user->getCurrentIP(), 'contact');
  $smarty->assign('CTOKEN', $token);
 }
 // Tempalte specifics
 $smarty->assign("CONTENT", "default.tpl");
-?>
+
 ?>
--- a/public/include/pages/home.inc.php
+++ b/public/include/pages/home.inc.php
@ -22,11 +22,6 @@ if (!$smarty->isCached('master.tpl', $smarty_cache_key)) {
 } else {
  $debug->append('Using cached page', 3);
 }
 // csrf token
 if ($config['csrf']['enabled'] && !in_array('login', $config['csrf']['disabled_forms'])) {
  $token = $csrftoken->getBasic($user->getCurrentIP(), 'login');
  $smarty->assign('CTOKEN', $token);
 }
 // Load news entries for Desktop site and unauthenticated users
 $smarty->assign("CONTENT", "default.tpl");
 ?>
--- a/public/include/pages/login.inc.php
+++ b/public/include/pages/login.inc.php
@ -3,12 +3,6 @@
 // Make sure we are called from index.php
 if (!defined('SECURITY')) die('Hacking attempt');
 // csrf if enabled
 $csrfenabled = ($config['csrf']['enabled'] && !in_array('login', $config['csrf']['disabled_forms'])) ? 1 : 0;
 if ($csrfenabled) {
  $nocsrf = ($csrftoken->checkBasic($user->getCurrentIP(), 'login', @$_POST['ctoken'])) ? 1 : 0;
 }
 // ReCaptcha handling if enabled
 if ($setting->getValue('recaptcha_enabled') && $setting->getValue('recaptcha_enabled_logins')) {
  require_once(INCLUDE_DIR . '/lib/recaptchalib.php');
@ -31,7 +25,7 @@ if ($setting->getValue('maintenance') && !$user->isAdmin($user->getUserIdByEmail
 } else if (!empty($_POST['username']) && !empty($_POST['password'])) {
  // Check if recaptcha is enabled, process form data if valid
  if (!$setting->getValue('recaptcha_enabled') || !$setting->getValue('recaptcha_enabled_logins') || ($setting->getValue('recaptcha_enabled') && $setting->getValue('recaptcha_enabled_logins') && $rsp->is_valid)) {
-    if (!$csrfenabled || $csrfenabled && $nocsrf) {
+    if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
      if ($user->checkLogin(@$_POST['username'], @$_POST['password']) ) {
        empty($_POST['to']) ? $to = $_SERVER['SCRIPT_NAME'] : $to = $_POST['to'];
        $port = ($_SERVER["SERVER_PORT"] == "80" or $_SERVER["SERVER_PORT"] == "443") ? "" : (":".$_SERVER["SERVER_PORT"]);
@ -48,11 +42,7 @@ if ($setting->getValue('maintenance') && !$user->isAdmin($user->getUserIdByEmail
    $_SESSION['POPUP'][] = array('CONTENT' => 'Invalid Captcha, please try again.', 'TYPE' => 'errormsg');
  }
 }
-// csrf token
+
 if ($csrfenabled && !in_array('login', $config['csrf']['disabled_forms'])) {
  $token = $csrftoken->getBasic($user->getCurrentIP(), 'login');
  $smarty->assign('CTOKEN', $token);
 }
 // Load login template
 $smarty->assign('CONTENT', 'default.tpl');
 ?>
--- a/public/include/pages/password.inc.php
+++ b/public/include/pages/password.inc.php
@ -4,11 +4,7 @@
 if (!defined('SECURITY'))
    die('Hacking attempt');
 // csrf token
 if ($config['csrf']['enabled'] && !in_array('passreset', $config['csrf']['disabled_forms'])) {
  $token = $csrftoken->getBasic($user->getCurrentIP(), 'resetpass');
  $smarty->assign('CTOKEN', $token);
 }
 // Tempalte specifics
 $smarty->assign("CONTENT", "default.tpl");
-?>
+
 ?>
--- a/public/include/pages/password/change.inc.php
+++ b/public/include/pages/password/change.inc.php
@ -4,14 +4,7 @@
 if (!defined('SECURITY'))
  die('Hacking attempt');
-// csrf stuff
+if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
 $csrfenabled = ($config['csrf']['enabled'] && !in_array('passreset', $config['csrf']['disabled_forms'])) ? 1 : 0;
 if ($csrfenabled) {
  // we have to use editaccount token because this that's where we'll get pushed here from
  $nocsrf = ($csrftoken->checkBasic($user->getCurrentIP(), 'editaccount', @$_POST['ctoken'])) ? 1 : 0;
 }
 if (!$csrfenabled || $csrfenabled && $nocsrf) {
  if (isset($_POST['do']) && $_POST['do'] == 'resetPassword') {
    if ($user->resetPassword($_POST['token'], $_POST['newPassword'], $_POST['newPassword2'])) {
      $_SESSION['POPUP'][] = array('CONTENT' => 'Password reset complete! Please login.', 'TYPE' => 'success');
@ -23,13 +16,7 @@ if (!$csrfenabled || $csrfenabled && $nocsrf) {
  $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
 }
 // csrf token
 if ($config['csrf']['enabled'] && !in_array('passreset', $config['csrf']['disabled_forms'])) {
  $token = $csrftoken->getBasic($user->getCurrentIP(), 'editaccount');
  $smarty->assign('CTOKEN', $token);
 }
 // Tempalte specifics
 $smarty->assign("CONTENT", "default.tpl");
-?>
+?>
--- a/public/include/pages/password/reset.inc.php
+++ b/public/include/pages/password/reset.inc.php
@ -3,14 +3,8 @@
 // Make sure we are called from index.php
 if (!defined('SECURITY')) die('Hacking attempt');
 // csrf stuff
 $csrfenabled = ($config['csrf']['enabled'] && !in_array('passreset', $config['csrf']['disabled_forms'])) ? 1 : 0;
 if ($csrfenabled) {
  $nocsrf = ($csrftoken->checkBasic($user->getCurrentIP(), 'resetpass', @$_POST['ctoken'])) ? 1 : 0;
 }
 // Process password reset request
-if (!$csrfenabled || $csrfenabled && $nocsrf) {
+if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
  if ($user->initResetPassword($_POST['username'], $smarty)) {
    $_SESSION['POPUP'][] = array('CONTENT' => 'Please check your mail account to finish your password reset', 'TYPE' => 'success');
  } else {
@ -20,11 +14,6 @@ if (!$csrfenabled || $csrfenabled && $nocsrf) {
  $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
 }
 // csrf token
 if ($config['csrf']['enabled'] && !in_array('passreset', $config['csrf']['disabled_forms'])) {
  $token = $csrftoken->getBasic($user->getCurrentIP(), 'resetpass');
  $smarty->assign('CTOKEN', $token);
 }
 // Tempalte specifics, user default template by parent page
 $smarty->assign("CONTENT", "../default.tpl");
 ?>
--- a/public/include/pages/register.inc.php
+++ b/public/include/pages/register.inc.php
@ -14,11 +14,6 @@ if ($setting->getValue('lock_registration') && $setting->getValue('disable_invit
    require_once(INCLUDE_DIR . '/lib/recaptchalib.php');
    $smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key'), null, true));
  }
  // csrf token
  if ($config['csrf']['enabled'] && !in_array('register', $config['csrf']['disabled_forms'])) {
    $token = $csrftoken->getBasic($user->getCurrentIP(), 'register');
    $smarty->assign('CTOKEN', $token);
  }
  // Load news entries for Desktop site and unauthenticated users
  $smarty->assign("CONTENT", "default.tpl");
 }
--- a/public/include/pages/register/register.inc.php
+++ b/public/include/pages/register/register.inc.php
@ -17,24 +17,18 @@ if ($setting->getValue('recaptcha_enabled') && $setting->getValue('recaptcha_ena
  $recaptcha = ($rsp->is_valid) ? 1 : 0;
 }
 // csrf if enabled
 $csrfenabled = ($config['csrf']['enabled'] && !in_array('register', $config['csrf']['disabled_forms'])) ? 1 : 0;
 if ($csrfenabled) {
  $nocsrf = ($csrftoken->checkBasic($user->getCurrentIP(), 'register', @$_POST['ctoken'])) ? 1 : 0;
 }
 if ($setting->getValue('disable_invitations') && $setting->getValue('lock_registration')) {
  $_SESSION['POPUP'][] = array('CONTENT' => 'Account registration is currently disabled. Please try again later.', 'TYPE' => 'errormsg');
 } else if ($setting->getValue('lock_registration') && !$setting->getValue('disable_invitations') && !isset($_POST['token'])) {
  $_SESSION['POPUP'][] = array('CONTENT' => 'Only invited users are allowed to register.', 'TYPE' => 'errormsg');
 } else {
  // Check if csrf is enabled and fail if token is invalid
-  if (!$csrfenabled || $csrfenabled && $nocsrf) {
+  if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
    if ($setting->getValue('recaptcha_enabled') != 1 || $setting->getValue('recaptcha_enabled_registrations') != 1 || $rsp->is_valid) {
      // Check if recaptcha is enabled, process form data if valid or disabled
      isset($_POST['token']) ? $token = $_POST['token'] : $token = '';
      if ($user->register(@$_POST['username'], @$_POST['password1'], @$_POST['password2'], @$_POST['pin'], @$_POST['email1'], @$_POST['email2'], @$_POST['tac'], $token)) {
-        ! $setting->getValue('accounts_confirm_email_disabled') ? $_SESSION['POPUP'][] = array('CONTENT' => 'Please check your mailbox to activate this account') : $_SESSION['POPUP'][] = array('CONTENT' => 'Account created, please login');
+        (!$setting->getValue('accounts_confirm_email_disabled')) ? $_SESSION['POPUP'][] = array('CONTENT' => 'Please check your mailbox to activate this account') : $_SESSION['POPUP'][] = array('CONTENT' => 'Account created, please login');
      } else {
        $_SESSION['POPUP'][] = array('CONTENT' => 'Unable to create account: ' . $user->getError(), 'TYPE' => 'errormsg');
      }
@ -46,9 +40,5 @@ if ($setting->getValue('disable_invitations') && $setting->getValue('lock_regist
 // We load the default registration template instead of an action specific one
 $smarty->assign("CONTENT", "../default.tpl");
-// csrf token
+
 if ($config['csrf']['enabled'] && !in_array('register', $config['csrf']['disabled_forms'])) {
  $token = $csrftoken->getBasic($user->getCurrentIP(), 'register');
  $smarty->assign('CTOKEN', $token);
 }
 ?>
--- a/public/index.php
+++ b/public/index.php
@ -36,27 +36,26 @@ $master_template = 'master.tpl';
 // Start a session
 session_set_cookie_params(time()+$config['cookie']['duration'], $config['cookie']['path'], $config['cookie']['domain'], $config['cookie']['secure'], $config['cookie']['httponly']);
-if (!@session_start()) {
+$session_start = @session_start();
-	$user->logoutUser();
+if (!$session_start) {
-	if (!@session_regenerate_id(true)) {
+  session_destroy();
-		$user->logoutUser();
+  session_regenerate_id(true);
-	}
+  session_start();
 	if(!@setcookie(session_name(), session_id(), time()+$config['cookie']['duration'], $config['cookie']['path'], $config['cookie']['domain'], $config['cookie']['secure'], $config['cookie']['httponly'])) {
 		@setcookie(session_name(),session_id(), time()-$config['cookie']['duration'], $config['cookie']['path'], $config['cookie']['domain'], $config['cookie']['secure'], $config['cookie']['httponly']); 
 	}
 }
@setcookie(session_name(), session_id(), time()+$config['cookie']['duration'], $config['cookie']['path'], $config['cookie']['domain'], $config['cookie']['secure'], $config['cookie']['httponly']);
 // Load Classes, they name defines the $ variable used
 // We include all needed files here, even though our templates could load them themself
 require_once(INCLUDE_DIR . '/autoloader.inc.php');
 // Create our pages array from existing files
 if (is_dir(INCLUDE_DIR . '/pages/')) {
-    foreach (glob(INCLUDE_DIR . '/pages/*.inc.php') as $filepath) {
+  foreach (glob(INCLUDE_DIR . '/pages/*.inc.php') as $filepath) {
-        $filename = basename($filepath);
+    $filename = basename($filepath);
-        $pagename = substr($filename, 0, strlen($filename) - 8);
+    $pagename = substr($filename, 0, strlen($filename) - 8);
-        $arrPages[$pagename] = $filename;
+    $arrPages[$pagename] = $filename;
-        $debug->append("Adding $pagename as " . $filename . " to accessible pages", 4);
+    $debug->append("Adding $pagename as " . $filename . " to accessible pages", 4);
-    }
+  }
 }
 // Set a default action here if no page has been requested
@ -71,23 +70,31 @@ if (isset($_REQUEST['page']) && isset($arrPages[$_REQUEST['page']])) {
 // Create our pages array from existing files
 if (is_dir(INCLUDE_DIR . '/pages/' . $page)) {
-    foreach (glob(INCLUDE_DIR . '/pages/' . $page . '/*.inc.php') as $filepath) {
+  foreach (glob(INCLUDE_DIR . '/pages/' . $page . '/*.inc.php') as $filepath) {
-        $filename = basename($filepath);
+    $filename = basename($filepath);
-        $pagename = substr($filename, 0, strlen($filename) - 8);
+    $pagename = substr($filename, 0, strlen($filename) - 8);
-        $arrActions[$pagename] = $filename;
+    $arrActions[$pagename] = $filename;
-        $debug->append("Adding $pagename as " . $filename . ".inc.php to accessible actions", 4);
+    $debug->append("Adding $pagename as " . $filename . ".inc.php to accessible actions", 4);
-    }
+  }
 }
 // Default to empty (nothing) if nothing set or not known
 $action = (isset($_REQUEST['action']) && !is_array($_REQUEST['action'])) && isset($arrActions[$_REQUEST['action']]) ? $_REQUEST['action'] : "";
 // Check csrf token validity if necessary
 if ($config['csrf']['enabled'] && isset($_POST['ctoken']) && !empty($_POST['ctoken']) && !is_array($_POST['ctoken'])) {
  $csrftoken->valid = ($csrftoken->checkBasic($user->getCurrentIP(), $arrPages[$page], $_POST['ctoken'])) ? 1 : 0;
 } else if ($config['csrf']['enabled'] && (!@$_POST['ctoken'] || empty($_POST['ctoken']) || is_array($_POST['ctoken']))) {
  $csrftoken->valid = 0;
 }
 if ($config['csrf']['enabled']) $smarty->assign('CTOKEN', $csrftoken->getBasic($user->getCurrentIP(), $arrPages[$page]));
 // Load the page code setting the content for the page OR the page action instead if set
 if (!empty($action)) {
-    $debug->append('Loading Action: ' . $action . ' -> ' . $arrActions[$action], 1);
+  $debug->append('Loading Action: ' . $action . ' -> ' . $arrActions[$action], 1);
-    require_once(PAGES_DIR . '/' . $page . '/' . $arrActions[$action]);
+  require_once(PAGES_DIR . '/' . $page . '/' . $arrActions[$action]);
 } else {
-    $debug->append('Loading Page: ' . $page . ' -> ' . $arrPages[$page], 1);
+  $debug->append('Loading Page: ' . $page . ' -> ' . $arrPages[$page], 1);
-    require_once(PAGES_DIR . '/' . $arrPages[$page]);
+  require_once(PAGES_DIR . '/' . $arrPages[$page]);
 }
 define('PAGE', $page);
@ -110,4 +117,5 @@ if (!@$supress_master) $smarty->display($master_template, $smarty_cache_key);
 // Unset any temporary values here
 unset($_SESSION['POPUP']);
-?>
+
 ?>
--- a/public/templates/mobile/login/default.tpl
+++ b/public/templates/mobile/login/default.tpl
@ -1,6 +1,6 @@
      <form action="{$smarty.server.SCRIPT_NAME}?page=login" method="post" id="loginForm" data-ajax="false">
        <input type="hidden" name="to" value="{($smarty.request.to|default:"{$smarty.server.SCRIPT_NAME}?page=dashboard")|escape}" />
-        {if $GLOBAL.csrf.enabled && !"login"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+        <input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
        <p><label for="userForm">Email</label><input type="text" name="username" value="" id="userForm"></p>
        <p><label for="passForm">Password</label><input type="password" name="password" value="" id="passForm"></p>
        <center>{nocache}{$RECAPTCHA|default:"" nofilter}{/nocache}</center>
--- a/public/templates/mobile/password/change/default.tpl
+++ b/public/templates/mobile/password/change/default.tpl
@ -2,7 +2,7 @@
      <input type="hidden" name="token" value="{$smarty.request.token|escape}">
      <input type="hidden" name="page" value="{$smarty.request.page|escape}">
      <input type="hidden" name="action" value="{$smarty.request.action|escape}">
-      {if $GLOBAL.csrf.enabled && !"editaccount"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+      <input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
      <input type="hidden" name="do" value="useToken">
      <table>
        <tr><td>New Password: </td><td><input type="password" name="newPassword"></td></tr>
--- a/public/templates/mobile/password/default.tpl
+++ b/public/templates/mobile/password/default.tpl
@ -1,7 +1,7 @@
 <form action="" method="POST">
 <input type="hidden" name="page" value="password">
 <input type="hidden" name="action" value="reset">
-{if $GLOBAL.csrf.enabled && !"passreset"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+<input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
  <p>If you have an email set for your account, enter your username to get your password reset</p>
  <p><input type="text" value="{$smarty.post.username|escape|default:""}" name="username" required><input class="submit small" type="submit" value="Reset"></p>
 </form>
--- a/public/templates/mpos/account/edit/default.tpl
+++ b/public/templates/mpos/account/edit/default.tpl
@ -56,7 +56,7 @@
    <footer>
      <div class="submit_link">
      {nocache}
-        {if $GLOBAL.csrf.enabled && !"accountedit"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+        <input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
        <input type="hidden" name="ea_token" value="{$smarty.request.ea_token|escape|default:""}">
        <input type="hidden" name="utype" value="account_edit">
        {if $GLOBAL.twofactor.enabled && $GLOBAL.twofactor.options.details}
@ -106,7 +106,7 @@
      <div class="submit_link">
      {nocache}
        <input type="hidden" name="wf_token" value="{$smarty.request.wf_token|escape|default:""}">
-        {if $GLOBAL.csrf.enabled && !"accountedit"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+        <input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
        <input type="hidden" name="utype" value="withdraw_funds">
        {if $GLOBAL.twofactor.enabled && $GLOBAL.twofactor.options.withdraw}
          {if $WITHDRAWSENT == 1 && $WITHDRAWUNLOCKED == 1}
@ -161,7 +161,7 @@
      <div class="submit_link">
      {nocache}
        <input type="hidden" name="cp_token" value="{$smarty.request.cp_token|escape|default:""}">
-        {if $GLOBAL.csrf.enabled && !"accountedit"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+        <input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
        <input type="hidden" name="utype" value="change_pw">
        {if $GLOBAL.twofactor.enabled && $GLOBAL.twofactor.options.changepw}
          {if $CHANGEPASSSENT == 1 && $CHANGEPASSUNLOCKED == 1}
@ -185,7 +185,7 @@
  <input type="hidden" name="page" value="{$smarty.request.page|escape}">
  <input type="hidden" name="action" value="{$smarty.request.action|escape}">
  <input type="hidden" name="do" value="genPin">
-  {if $GLOBAL.csrf.enabled && !"editaccount"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+  <input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
 	<article class="module width_half">
 	  <header>
 		  <h3>Reset PIN</h3>
--- a/public/templates/mpos/account/invitations/default.tpl
+++ b/public/templates/mpos/account/invitations/default.tpl
@ -2,7 +2,7 @@
  <input type="hidden" name="page" value="{$smarty.request.page|escape}">
  <input type="hidden" name="action" value="{$smarty.request.action|escape}">
  <input type="hidden" name="do" value="sendInvitation">
-  {if $GLOBAL.csrf.enabled && !"invite"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+  <input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
  <article class="module width_quarter">
    <header><h3>Invitation</h3></header>
    <div class="module_content">
--- a/public/templates/mpos/account/notifications/default.tpl
+++ b/public/templates/mpos/account/notifications/default.tpl
@ -2,7 +2,7 @@
  <input type="hidden" name="page" value="{$smarty.request.page|escape}">
  <input type="hidden" name="action" value="{$smarty.request.action|escape}">
  <input type="hidden" name="do" value="save">
-  {if $GLOBAL.csrf.enabled && !"notifications"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+  <input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
  <article class="module width_quarter">
    <header>
      <h3>Notification Settings</h3>
--- a/public/templates/mpos/account/workers/default.tpl
+++ b/public/templates/mpos/account/workers/default.tpl
@ -4,7 +4,7 @@
    <input type="hidden" name="page" value="{$smarty.request.page|escape}">
    <input type="hidden" name="action" value="{$smarty.request.action|escape}">
    <input type="hidden" name="do" value="add">
-    {if $GLOBAL.csrf.enabled && !"workers"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+    <input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
    <div class="module_content">
      <fieldset>
        <label>Worker Name</label>
@ -30,7 +30,7 @@
    <input type="hidden" name="page" value="{$smarty.request.page|escape}">
    <input type="hidden" name="action" value="{$smarty.request.action|escape}">
    <input type="hidden" name="do" value="update">
-    {if $GLOBAL.csrf.enabled && !"workers"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+    <input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
    <table class="tablesorter" cellspacing="0">
      <thead>
        <tr>
--- a/public/templates/mpos/contactform/contactform/default.tpl
+++ b/public/templates/mpos/contactform/contactform/default.tpl
@ -1,7 +1,7 @@
 <form action="{$smarty.server.SCRIPT_NAME}" method="post">
  <input type="hidden" name="page" value="{$smarty.request.page|escape}">
  <input type="hidden" name="action" value="contactform">
-  {if $GLOBAL.csrf.enabled && !"contact"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+  <input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
    <article class="module width_3_quarter">
    <header><h3>Contact Us</h3></header>
    <div class="module_content">
--- a/public/templates/mpos/contactform/default.tpl
+++ b/public/templates/mpos/contactform/default.tpl
@ -1,7 +1,7 @@
 <form action="{$smarty.server.SCRIPT_NAME}" method="post">
  <input type="hidden" name="page" value="{$smarty.request.page|escape}">
  <input type="hidden" name="action" value="contactform">
-  {if $GLOBAL.csrf.enabled && !"contact"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+  <input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
    <article class="module width_3_quarter">
    <header><h3>Contact Us</h3></header>
    <div class="module_content">
--- a/public/templates/mpos/login/default.tpl
+++ b/public/templates/mpos/login/default.tpl
@ -1,7 +1,7 @@
 <article class="module width_half">
  <form action="{$smarty.server.SCRIPT_NAME}?page=login" method="post" id="loginForm">
    <input type="hidden" name="to" value="{($smarty.request.to|default:"{$smarty.server.SCRIPT_NAME}?page=dashboard")|escape}" />
-    {if $GLOBAL.csrf.enabled && !"login"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+    <input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
    <header><h3>Login with existing account</h3></header>
    <div class="module_content">
        <fieldset>
--- a/public/templates/mpos/login/small.tpl
+++ b/public/templates/mpos/login/small.tpl
@ -2,7 +2,7 @@
 <div class="login_small">
  <form action="{$smarty.server.SCRIPT_NAME}" method="post" id="loginForm">
    <input type="hidden" name="page" value="login" />
-    {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.forms.login}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+    <input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
    <input type="hidden" name="to" value="{$smarty.server.SCRIPT_NAME}?page=dashboard" />
    <fieldset2 class="small">
      <label>Username</label>
--- a/public/templates/mpos/password/change/default.tpl
+++ b/public/templates/mpos/password/change/default.tpl
@ -3,7 +3,7 @@
    <input type="hidden" name="token" value="{$smarty.request.token|escape}">
    <input type="hidden" name="page" value="{$smarty.request.page|escape}">
    <input type="hidden" name="action" value="{$smarty.request.action|escape}">
-    {if $GLOBAL.csrf.enabled && !"passreset"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+    <input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
    <input type="hidden" name="do" value="resetPassword">
    <header><h3>Password reset</h3></header>
@ -21,7 +21,6 @@
    <footer>
      {nocache}
        <input type="hidden" name="cp_token" value="{$smarty.request.cp_token|escape|default:""}">
        {if $GLOBAL.csrf.enabled && !"passreset"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
        <input type="hidden" name="utype" value="change_pw">
        {if $GLOBAL.twofactor.enabled && $GLOBAL.twofactor.options.changepw}
          {if $CHANGEPASSSENT == 1 && $CHANGEPASSUNLOCKED == 1}
--- a/public/templates/mpos/password/default.tpl
+++ b/public/templates/mpos/password/default.tpl
@ -2,7 +2,7 @@
  <form action="" method="POST">
    <input type="hidden" name="page" value="password">
    <input type="hidden" name="action" value="reset">
-    {if $GLOBAL.csrf.enabled && !"passreset"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+    <input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
    <header><h3>Password reset</h3></header>
    <div class="module_content">
      <p>If you have an email set for your account, enter your username to get your password reset</p>
--- a/public/templates/mpos/register/default.tpl
+++ b/public/templates/mpos/register/default.tpl
@ -7,7 +7,7 @@
 {if $smarty.request.token|default:""}
    <input type="hidden" name="token" value="{$smarty.request.token|escape}" />
 {/if}
-{if $GLOBAL.csrf.enabled && !"register"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+	<input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
    <input type="hidden" name="action" value="register">
    <fieldset>
      <label>Username</label>
--- a/public/templates/mpos/statistics/uptime/default.tpl
+++ b/public/templates/mpos/statistics/uptime/default.tpl
@ -24,7 +24,7 @@
 {assign var=node value="."|explode:$item.friendlyname}
      <tr>
        <td align="center"><img src="{$GLOBALASSETS}/images/flags/{$node.0}.png"/></td>
-        <td align="center">{$node.1}</td>
+        {if $node|count > 1}<td align="center">{$node.1}</td>{/if}
        <td align="center"><span class="ur-status-{$CODES[$item.status]|lower}">{$CODES[$item.status]}</span></td>
        <td align="center">{$item.log.1.datetime|date_format:"%b %d, %Y %H:%M"}</td>
        <td align="center"><span class="chart" data-percent="{$item.customuptimeratio.0}"><span class="percent"></span></span></td>