Index: lams_central/conf/security/Owasp.CsrfGuard.properties
===================================================================
diff -u -r804dca72fa2ac638a9d3e2e66054d82688951c31 -r3582a26f019d77b921db0379ca2516dd51860bde
--- lams_central/conf/security/Owasp.CsrfGuard.properties	(.../Owasp.CsrfGuard.properties)	(revision 804dca72fa2ac638a9d3e2e66054d82688951c31)
+++ lams_central/conf/security/Owasp.CsrfGuard.properties	(.../Owasp.CsrfGuard.properties)	(revision 3582a26f019d77b921db0379ca2516dd51860bde)
@@ -1,8 +1,12 @@
 # Only check POST forms. If we need to, we can add GET and other HTTP methods
 org.owasp.csrfguard.ProtectedMethods=POST
 
-# By default do not check anything. ignoreAll is the same as filter coverage in web.xml
-org.owasp.csrfguard.unprotected.ignoreAll=*.do
+# Do not check anything except for pages which are explicitly marked as protected
+org.owasp.csrfguard.Protect = true
+
+# Mandatory field for stateful applications like LAMS
+org.owasp.csrfguard.LogicalSessionExtractor = org.owasp.csrfguard.session.SessionTokenKeyExtractor
+
 # List of actions to check
 # Each key goes into a separate line prefixed with org.owasp.csrfguard.protected.
 # A key suffix must not contain a dot "." character