diff --git a/PHPCI/Controller/SessionController.php b/PHPCI/Controller/SessionController.php
index 540b043f..8fa9d48b 100644
--- a/PHPCI/Controller/SessionController.php
+++ b/PHPCI/Controller/SessionController.php
@@ -43,15 +43,23 @@ class SessionController extends \PHPCI\Controller
         $isLoginFailure = false;
 
         if ($this->request->getMethod() == 'POST') {
-            $user = $this->userStore->getByEmail($this->getParam('email'));
 
-            if ($user && password_verify($this->getParam('password', ''), $user->getHash())) {
-                $_SESSION['phpci_user_id']    = $user->getId();
-                $response = new b8\Http\Response\RedirectResponse();
-                $response->setHeader('Location', $this->getLoginRedirect());
-                return $response;
-            } else {
+            $token = $this->getParam('token');
+            if ($token === null || $token !== $_SESSION['login_token']) {
                 $isLoginFailure = true;
+            } else {
+                unset($_SESSION['login_token']);
+
+                $user = $this->userStore->getByEmail($this->getParam('email'));
+
+                if ($user && password_verify($this->getParam('password', ''), $user->getHash())) {
+                    $_SESSION['phpci_user_id']    = $user->getId();
+                    $response = new b8\Http\Response\RedirectResponse();
+                    $response->setHeader('Location', $this->getLoginRedirect());
+                    return $response;
+                } else {
+                    $isLoginFailure = true;
+                }
             }
         }
 
@@ -78,9 +86,15 @@ class SessionController extends \PHPCI\Controller
         $pwd->setClass('btn-success');
         $form->addField($pwd);
 
+        $tokenValue = $this->generateToken();
+        $_SESSION['login_token'] = $tokenValue;
+        $token = new b8\Form\Element\Hidden('token');
+        $token->setValue($tokenValue);
+        $form->addField($token);
+
         $this->view->form = $form->render();
         $this->view->failed = $isLoginFailure;
-        
+
         return $this->view->render();
     }
 
@@ -180,4 +194,20 @@ class SessionController extends \PHPCI\Controller
 
         return $rtn;
     }
+
+    /** Generate a random token.
+     *
+     * @return string
+     */
+    protected function generateToken()
+    {
+        if(function_exists('openssl_random_pseudo_bytes')) {
+            return bin2hex(openssl_random_pseudo_bytes(16));
+        }
+
+        return sprintf("%04x", mt_rand(0, 0xFFFF))
+            . sprintf("%04x", mt_rand(0, 0xFFFF))
+            . sprintf("%04x", mt_rand(0, 0xFFFF))
+            . sprintf("%04x", mt_rand(0, 0xFFFF));
+    }
 }