diff --git a/paramecio2/libraries/formsutils.py b/paramecio2/libraries/formsutils.py
index fbb53d0..fa480df 100644
--- a/paramecio2/libraries/formsutils.py
+++ b/paramecio2/libraries/formsutils.py
@@ -3,7 +3,7 @@
 from paramecio2.libraries.db import corefields
 from paramecio2.libraries.db.coreforms import PasswordForm
 from paramecio2.libraries.i18n import I18n
-from flask import session
+from flask import session, request, abort
 from paramecio2.libraries.keyutils import create_key_encrypt
 
 # Need unittest
@@ -210,3 +210,11 @@ def generate_csrf():
 
     return session['csrf_token']
 
+def check_csrf(name_csrf_token='csrf_token'):
+    
+    csrf_token=session.get('csrf_token', '')
+    
+    if csrf_token=='' or csrf_token!=request.form.get(name_csrf_token):
+        abort(404)
+        
+        
diff --git a/paramecio2/modules/admin/app.py b/paramecio2/modules/admin/app.py
index 9e0e6f4..5db6aa8 100644
--- a/paramecio2/modules/admin/app.py
+++ b/paramecio2/modules/admin/app.py
@@ -13,6 +13,7 @@ import copy
 from os import path
 from paramecio2.modules.admin import admin_app, t
 from paramecio2.libraries.sendmail import SendMail
+from paramecio2.libraries.formsutils import check_csrf
 
 yes_recovery_login=False
 email_address='localhost'
@@ -66,6 +67,12 @@ def admin_prepare():
                     
                     return redirect(url_redirect)   
 
+    
+    """
+    if request.method=='POST':
+        check_csrf()
+    """
+
 @admin_app.after_request
 def admin_finished(response):
     
@@ -187,6 +194,8 @@ def login():
     
     if request.method=='POST':
         
+        check_csrf()
+        
         username=request.form['username']
 
         password=request.form['password']
@@ -279,6 +288,8 @@ def signup():
         
         if request.method=='POST':
             
+            check_csrf()
+            
             user_admin.conditions=['WHERE privileges=%s', [2]]
              
             forms=dict(request.form)
@@ -337,8 +348,10 @@ def auth_check():
 
     error=1
     
-    if 'login_admin' in session:
+    check_csrf()
     
+    if 'login_admin' in session:
+        
         code=request.form.get('code', '')
         
         user_admin=UserAdmin(g.connection)
diff --git a/paramecio2/modules/admin/templates/need_auth.phtml b/paramecio2/modules/admin/templates/need_auth.phtml
index 73fa2ce..897643d 100644
--- a/paramecio2/modules/admin/templates/need_auth.phtml
+++ b/paramecio2/modules/admin/templates/need_auth.phtml
@@ -8,6 +8,7 @@
     <div class="form">
         <p align="center">${lang('admin', 'check_your_email', 'Check your email for get instructions for complete login with double auth or')} <a href="${url_for('.logout')}">logout</a> and login again with other user</p>
         <p><label>${lang('admin', 'code', 'Code')} *</label><input type="text" class="" name="code" id="code_form" value="" /> <span class="error" id="code_error"></span></p>
+        ${csrf_token()|n}
     </div>
     <div id="submit_block">
         <input type="submit" value="${lang('common', 'send_code', 'Send code')}" class="submit" id="code_submit"/>