diff --git a/src/messenger/webim/libs/common.php b/src/messenger/webim/libs/common.php
index 33070f91..4c934032 100644
--- a/src/messenger/webim/libs/common.php
+++ b/src/messenger/webim/libs/common.php
@@ -688,4 +688,24 @@ function jspath()
 	return "js/$jsver";
 }
 
-?>
\ No newline at end of file
+/* authorization token check for CSRF attack */
+function csrfchecktoken(){
+  if(!isset($_SESSION['csrf_token'])){
+      $_SESSION['csrf_token']=sha1(rand(10000000,99999999));
+    }
+		// check the turing code
+    if ($_SERVER['REQUEST_METHOD'] == 'POST'){
+      //if token match
+      if(!isset($_POST['csrf_token']) || ($_POST['csrf_token'] != $_SESSION['csrf_token'])){
+
+        die("CSRF failure");
+      }
+    }
+}
+
+/* print csrf token as a hidden field*/
+function print_csrf_token_input(){
+  echo "<input name='csrf_token' type='hidden' value='".$_SESSION['csrf_token']."' />";
+}
+
+?>
diff --git a/src/messenger/webim/libs/operator_settings.php b/src/messenger/webim/libs/operator_settings.php
index edf112d7..252f508c 100644
--- a/src/messenger/webim/libs/operator_settings.php
+++ b/src/messenger/webim/libs/operator_settings.php
@@ -44,4 +44,4 @@ function setup_operator_settings_tabs($opId, $active)
 	}
 }
 
-?>
\ No newline at end of file
+?>
diff --git a/src/messenger/webim/operator/cannededit.php b/src/messenger/webim/operator/cannededit.php
index 6d208aff..e375ac3b 100644
--- a/src/messenger/webim/operator/cannededit.php
+++ b/src/messenger/webim/operator/cannededit.php
@@ -23,6 +23,8 @@ require_once('../libs/common.php');
 require_once('../libs/operator.php');
 require_once('../libs/pagination.php');
 
+csrfchecktoken();
+
 function load_message($key)
 {
 	global $mysqlprefix;
@@ -101,4 +103,4 @@ prepare_menu($operator, false);
 start_html_output();
 require('../view/cannededit.php');
 exit;
-?>
\ No newline at end of file
+?>
diff --git a/src/messenger/webim/operator/operator.php b/src/messenger/webim/operator/operator.php
index 1304fcd3..693b61df 100644
--- a/src/messenger/webim/operator/operator.php
+++ b/src/messenger/webim/operator/operator.php
@@ -23,6 +23,8 @@ require_once('../libs/common.php');
 require_once('../libs/operator.php');
 require_once('../libs/operator_settings.php');
 
+csrfchecktoken();
+
 $operator = check_login();
 
 $page = array('opid' => '');
diff --git a/src/messenger/webim/operator/settings.php b/src/messenger/webim/operator/settings.php
index 77025774..e8816825 100644
--- a/src/messenger/webim/operator/settings.php
+++ b/src/messenger/webim/operator/settings.php
@@ -23,6 +23,8 @@ require_once('../libs/common.php');
 require_once('../libs/operator.php');
 require_once('../libs/settings.php');
 
+csrfchecktoken();
+
 $operator = check_login();
 
 $page = array('agentId' => '');
@@ -104,4 +106,4 @@ prepare_menu($operator);
 setup_settings_tabs(0);
 start_html_output();
 require('../view/settings.php');
-?>
\ No newline at end of file
+?>
diff --git a/src/messenger/webim/view/agent.php b/src/messenger/webim/view/agent.php
index 23912f81..f0bb10c7 100644
--- a/src/messenger/webim/view/agent.php
+++ b/src/messenger/webim/view/agent.php
@@ -50,6 +50,10 @@ require_once('inc_errors.php');
 
 <?php if( $page['opid'] || $page['canmodify'] ) { ?>
 <form name="agentForm" method="post" action="<?php echo $webimroot ?>/operator/operator.php">
+
+<!-- add auth token -->
+<?php print_csrf_token_input() ?>
+
 <input type="hidden" name="opid" value="<?php echo $page['opid'] ?>"/>
 	<div>
 <?php if(!$page['needChangePassword']) { print_tabbar(); } ?>
@@ -130,4 +134,4 @@ require_once('inc_errors.php');
 } /* content */
 
 require_once('inc_main.php');
-?>
\ No newline at end of file
+?>
diff --git a/src/messenger/webim/view/cannededit.php b/src/messenger/webim/view/cannededit.php
index f77b79dc..11b3c091 100644
--- a/src/messenger/webim/view/cannededit.php
+++ b/src/messenger/webim/view/cannededit.php
@@ -44,6 +44,10 @@ require_once('inc_errors.php');
 ?>
 
 <form name="cannedForm" method="post" action="<?php echo $webimroot ?>/operator/cannededit.php">
+
+<!-- add auth token -->
+<?php print_csrf_token_input() ?>
+
 <input type="hidden" name="key" value="<?php echo $page['key'] ?>"/>
 <?php if(!$page['key']) { ?>
 <input type="hidden" name="lang" value="<?php echo $page['locale'] ?>"/>
@@ -73,4 +77,4 @@ require_once('inc_errors.php');
 } /* content */
 
 require_once('inc_main.php');
-?>
\ No newline at end of file
+?>
diff --git a/src/messenger/webim/view/settings.php b/src/messenger/webim/view/settings.php
index 06611de0..d6f150bf 100644
--- a/src/messenger/webim/view/settings.php
+++ b/src/messenger/webim/view/settings.php
@@ -40,6 +40,9 @@ require_once('inc_errors.php');
 
 <form name="settings" method="post" action="<?php echo $webimroot ?>/operator/settings.php">
 
+<!-- add auth token -->
+<?php print_csrf_token_input() ?>
+
 	<div>
 <?php print_tabbar(); ?>
 	<div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner">
@@ -155,4 +158,4 @@ require_once('inc_errors.php');
 } /* content */
 
 require_once('inc_main.php');
-?>
\ No newline at end of file
+?>