diff --git a/delete.php b/delete.php
index d0631128..62296a0b 100644
--- a/delete.php
+++ b/delete.php
@@ -19,6 +19,8 @@
 
 require_once('common.php');
 
+if (safeget('token') != $_SESSION['PFA_token']) die('Invalid token!');
+
 $username = authentication_get_username(); # enforce login
 
 $id    = safeget('delete');
diff --git a/login.php b/login.php
index 175eac96..3e68acc2 100644
--- a/login.php
+++ b/login.php
@@ -53,6 +53,8 @@ if ($_SERVER['REQUEST_METHOD'] == "POST")
         $_SESSION['sessid']['roles'][] = 'admin';
         $_SESSION['sessid']['username'] = $fUsername;
 
+        $_SESSION['PFA_token'] = md5(uniqid(rand(), true));
+
         # they've logged in, so see if they are a domain admin, as well.
 
         if (!$h->init($fUsername)) {
diff --git a/templates/adminlistadmin.tpl b/templates/adminlistadmin.tpl
index 59d66084..46a0f81c 100644
--- a/templates/adminlistadmin.tpl
+++ b/templates/adminlistadmin.tpl
@@ -20,7 +20,8 @@
 			<td>{$admin.modified}</td>
 			<td><a href="{#url_edit_admin#}&amp;edit={$admin.username|escape:"url"}&amp;active={if ($admin.active==0)}1{else}0{/if}">{$admin._active}</a></td>
 			<td><a href="{#url_edit_admin#}&edit={$admin.username|escape:"url"}">{$PALANG.edit}</a></td>
-			<td><a href="{#url_delete#}?table=admin&amp;delete={$admin.username|escape:"url"}" onclick="return confirm ('{$PALANG.confirm}{$PALANG.admin}: {$admin.username}');">{$PALANG.del}</a></td>
+			<td><a href="{#url_delete#}?table=admin&amp;delete={$admin.username|escape:"url"}&amp;token={$smarty.session.PFA_token|escape:"url"}" 
+				onclick="return confirm ('{$PALANG.confirm}{$PALANG.admin}: {$admin.username}');">{$PALANG.del}</a></td>
 		</tr>
 {/foreach}
 	</table>
diff --git a/templates/adminlistdomain.tpl b/templates/adminlistdomain.tpl
index 65ad9290..93047663 100644
--- a/templates/adminlistdomain.tpl
+++ b/templates/adminlistdomain.tpl
@@ -35,7 +35,8 @@
 			<td>{$domain.modified}</td>
 			<td><a href="{#url_edit_domain#}&amp;edit={$domain.domain|escape:"url"}&amp;active={if ($domain.active==0)}1{else}0{/if}">{$domain._active}</a></td>
 			<td><a href="{#url_edit_domain#}&amp;edit={$domain.domain|escape:"url"}">{$PALANG.edit}</a></td>
-			<td><a href="{#url_delete#}?table=domain&amp;delete={$domain.domain|escape:"url"}" onclick="return confirm ('{$PALANG.confirm_domain}{$PALANG.domain}: {$domain.domain}')">{$PALANG.del}</a></td>
+			<td><a href="{#url_delete#}?table=domain&amp;delete={$domain.domain|escape:"url"}&amp;token={$smarty.session.PFA_token|escape:"url"}" 
+				onclick="return confirm ('{$PALANG.confirm_domain}{$PALANG.domain}: {$domain.domain}')">{$PALANG.del}</a></td>
 		</tr>
 {/foreach}
 	</table>
diff --git a/templates/fetchmail.tpl b/templates/fetchmail.tpl
index 0db31759..a1d7140b 100644
--- a/templates/fetchmail.tpl
+++ b/templates/fetchmail.tpl
@@ -39,7 +39,8 @@
 					<td nowrap="nowrap">{$row.date}&nbsp;</td>
 					<td nowrap="nowrap">{$row.returned_text}--x--&nbsp;</td> <!-- Inhalt mit if auswerten!  -->
 					<td><a href="fetchmail.php?edit={$row.id|escape:"url"}">{$PALANG.edit}</a></td>
-					<td><a href="fetchmail.php?delete={$row.id|escape:"url"}" onclick="return confirm('{$PALANG.confirm}{$PALANG.pMenu_fetchmail}:{$row.src_user}@{$row.src_server}')">{$PALANG.del}</a></td>
+					<td><a href="fetchmail.php?delete={$row.id|escape:"url"}&amp;token={$smarty.session.PFA_token|escape:"url"}"
+						onclick="return confirm('{$PALANG.confirm}{$PALANG.pMenu_fetchmail}:{$row.src_user}@{$row.src_server}')">{$PALANG.del}</a></td>
 				</tr>
 			{/foreach}
 		{/if}
diff --git a/templates/list-virtual_alias.tpl b/templates/list-virtual_alias.tpl
index 8242e5c6..1b04ad4a 100644
--- a/templates/list-virtual_alias.tpl
+++ b/templates/list-virtual_alias.tpl
@@ -40,7 +40,7 @@
 			<td><a href="{#url_create_alias#}&amp;edit={$item.address|escape:"url"}&amp;active={if ($item.active==0)}1{else}0{/if}"
 				>{if $item.active==1}{$PALANG.YES}{else}{$PALANG.NO}{/if}</a></td>
 			<td><a href="{#url_create_alias#}&amp;edit={$item.address|escape:"url"}">{$PALANG.edit}</a></td>
-			<td><a href="delete.php?table=alias&amp;delete={$item.address|escape:"url"}" 
+			<td><a href="delete.php?table=alias&amp;delete={$item.address|escape:"url"}&amp;token={$smarty.session.PFA_token|escape:"url"}" 
 				onclick="return confirm ('{$PALANG.confirm}{$PALANG.aliases}: {$item.address}');">{$PALANG.del}</a></td>
 		{else}
 			<td>{if $item.active==1}{$PALANG.YES}{else}{$PALANG.NO}{/if}</td>
diff --git a/templates/list-virtual_alias_domain.tpl b/templates/list-virtual_alias_domain.tpl
index 47864fe8..1b380f7c 100644
--- a/templates/list-virtual_alias_domain.tpl
+++ b/templates/list-virtual_alias_domain.tpl
@@ -32,7 +32,8 @@
 				<td>{$item.modified}</td>
 				<td><a href="{#url_create_alias_domain#}&amp;edit={$item.alias_domain|escape:"url"}&amp;active={if ($item.active==0)}1{else}0{/if}">{if $item.active==1}{$PALANG.YES}{else}{$PALANG.NO}{/if}</a></td>
 				<td><a href="{#url_create_alias_domain#}&amp;edit={$item.alias_domain|escape:"url"}">{$PALANG.edit}</a></td>
-				<td><a href="{#url_delete#}?table=aliasdomain&amp;delete={$item.alias_domain|escape:"url"}" onclick="return confirm ('{$PALANG.confirm}{$PALANG.pOverview_get_alias_domains}: {$item.alias_domain}');">{$PALANG.del}</a></td>
+				<td><a href="{#url_delete#}?table=aliasdomain&amp;delete={$item.alias_domain|escape:"url"}&amp;token={$smarty.session.PFA_token|escape:"url"}"
+					onclick="return confirm ('{$PALANG.confirm}{$PALANG.pOverview_get_alias_domains}: {$item.alias_domain} -&gt; {$item.target_domain}');">{$PALANG.del}</a></td>
 				</tr>
 			{/foreach}
 		{/if}
diff --git a/templates/list-virtual_mailbox.tpl b/templates/list-virtual_mailbox.tpl
index a99f5644..d48a8471 100644
--- a/templates/list-virtual_mailbox.tpl
+++ b/templates/list-virtual_mailbox.tpl
@@ -87,7 +87,8 @@
 				<td><a href="edit.php?table=alias&amp;edit={$item.username|escape:"url"}">{$PALANG.alias}</a></td>
 			{/if}
 			<td><a href="edit.php?table=mailbox&amp;edit={$item.username|escape:"url"}">{$PALANG.edit}</a></td>
-			<td><a href="delete.php?table=mailbox&amp;delete={$item.username|escape:"url"}" onclick="return confirm ('{$PALANG.confirm}{$PALANG.mailboxes}: {$item.username}');">{$PALANG.del}</a></td>
+			<td><a href="delete.php?table=mailbox&amp;delete={$item.username|escape:"url"}&amp;token={$smarty.session.PFA_token|escape:"url"}"
+				onclick="return confirm ('{$PALANG.confirm}{$PALANG.mailboxes}: {$item.username}');">{$PALANG.del}</a></td>
 		</tr>
 	{/foreach}
 </table>
diff --git a/users/login.php b/users/login.php
index 66426bfa..bc2744e0 100644
--- a/users/login.php
+++ b/users/login.php
@@ -48,6 +48,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST")
       $_SESSION['sessid']['roles'] = array();
       $_SESSION['sessid']['roles'][] = 'user';
       $_SESSION['sessid']['username'] = $fUsername;
+      $_SESSION['PFA_token'] = md5(uniqid(rand(), true));
       header("Location: main.php");
       exit;
    }
