Index: lams_build/3rdParty.userlibraries
===================================================================
diff -u -rfe4d029603238bbb734237cd5c7ca87fd062cfa5 -rd0f91f196f94f7003b38aca363362a485065f70a
--- lams_build/3rdParty.userlibraries	(.../3rdParty.userlibraries)	(revision fe4d029603238bbb734237cd5c7ca87fd062cfa5)
+++ lams_build/3rdParty.userlibraries	(.../3rdParty.userlibraries)	(revision d0f91f196f94f7003b38aca363362a485065f70a)
@@ -47,5 +47,6 @@
         <archive path="/lams_build/lib/json/jjwt-api-0.11.2.jar" source="/3rdParty_sources/jsonwebtoken"/>
         <archive path="/lams_build/lib/json/jjwt-impl-0.11.2.jar" source="/3rdParty_sources/jsonwebtoken"/>
         <archive path="/lams_build/lib/json/jjwt-jackson-0.11.2.jar" source="/3rdParty_sources/jsonwebtoken"/>
+        <archive path="/lams_build/lib/csrfguard/csrfguard-4.1.3-custom-2022.04.03.jar" source="/3rdParty_sources/csrfguard"/>
     </library>
 </eclipse-userlibraries>
Index: lams_central/conf/security/Owasp.CsrfGuard.properties
===================================================================
diff -u -r3582a26f019d77b921db0379ca2516dd51860bde -rd0f91f196f94f7003b38aca363362a485065f70a
--- lams_central/conf/security/Owasp.CsrfGuard.properties	(.../Owasp.CsrfGuard.properties)	(revision 3582a26f019d77b921db0379ca2516dd51860bde)
+++ lams_central/conf/security/Owasp.CsrfGuard.properties	(.../Owasp.CsrfGuard.properties)	(revision d0f91f196f94f7003b38aca363362a485065f70a)
@@ -63,6 +63,8 @@
 org.owasp.csrfguard.protected.centralPortraitDelete=/lams/saveportrait/deletePortrait.do
 org.owasp.csrfguard.protected.centralPortraitSave=/lams/saveportrait.do
 org.owasp.csrfguard.protected.centralPasswordChange=/lams/passwordChanged.do
+org.owasp.csrfguard.protected.centralForgotPassword=/lams/ForgotPasswordRequest
+org.owasp.csrfguard.protected.centralLogin=/lams/j_security_check
 
 #QB
 org.owasp.csrfguard.protected.centralSaveQuestion=/lams/qb/edit/saveOrUpdateQuestion.do
Index: lams_central/web/login.jsp
===================================================================
diff -u -r3a73867e4d02a6432294800c1831ad299a51332b -rd0f91f196f94f7003b38aca363362a485065f70a
--- lams_central/web/login.jsp	(.../login.jsp)	(revision 3a73867e4d02a6432294800c1831ad299a51332b)
+++ lams_central/web/login.jsp	(.../login.jsp)	(revision d0f91f196f94f7003b38aca363362a485065f70a)
@@ -64,7 +64,7 @@
 						var $form=$(document.createElement('form'))
 							.css({display:'none'})
 							.attr("method","POST")
-							.attr("action","<lams:LAMSURL/>ForgotPasswordRequest?method=showForgotYourPasswordPage");
+							.attr("action","<lams:LAMSURL/>ForgotPasswordRequest?method=showForgotYourPasswordPage&<csrf:token/>");
 						$("body").append($form);
 						$form.submit();
 					});
@@ -116,6 +116,7 @@
 						</c:if>
 
 						<form action="/lams/j_security_check" method="POST" name="loginForm" role="form" class="form-horizontal" id="loginForm">
+							<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
 							<input type="hidden" name="redirectURL" value='<c:out value="${param.redirectURL}" 
 						  		 escapeXml="true" />' />
              				 <div class="input-group">
@@ -177,7 +178,8 @@
 				</div>
 
 				<form style="display: none" method="POST" action="j_security_check">
-					<input type="hidden" name="j_username" value="${login}" /> <input type="hidden" name="j_password"
+					<input type="hidden" name="j_username" value="${login}" />
+					<input type="hidden" name="j_password"
 						value="${password}" /> <input type="hidden" name="redirectURL"
 						value='<c:out value="${empty param.redirectURL ? redirectURL : param.redirectURL}" escapeXml="true" />' />
 				</form>
Index: lams_central/web/loginTwoFactorAuth.jsp
===================================================================
diff -u -r4c2d1f37b92435907ec4ce23cb635a7cd9e4161e -rd0f91f196f94f7003b38aca363362a485065f70a
--- lams_central/web/loginTwoFactorAuth.jsp	(.../loginTwoFactorAuth.jsp)	(revision 4c2d1f37b92435907ec4ce23cb635a7cd9e4161e)
+++ lams_central/web/loginTwoFactorAuth.jsp	(.../loginTwoFactorAuth.jsp)	(revision d0f91f196f94f7003b38aca363362a485065f70a)
@@ -78,6 +78,7 @@
 				</c:if>
 
 				<form action="/lams/j_security_check" method="POST"  role="form" class="form-horizontal" name="loginForm" id="loginForm">
+					<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
 					<input type="hidden" name="j_username" value="${login}" /> 
 					<input type="hidden" name="j_password" value="${password}" /> 
 					<input type="hidden" name="redirectURL" value='<c:out value="${param.redirectURL}" escapeXml="true" />' />
Index: lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java
===================================================================
diff -u -rbfd5c97945c7bafc8a2f22202fbdb93652c1bed2 -rd0f91f196f94f7003b38aca363362a485065f70a
--- lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java	(.../SsoHandler.java)	(revision bfd5c97945c7bafc8a2f22202fbdb93652c1bed2)
+++ lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java	(.../SsoHandler.java)	(revision d0f91f196f94f7003b38aca363362a485065f70a)
@@ -45,6 +45,7 @@
 import org.lamsfoundation.lams.util.ConfigurationKeys;
 import org.lamsfoundation.lams.web.session.SessionManager;
 import org.lamsfoundation.lams.web.util.AttributeNames;
+import org.owasp.csrfguard.CsrfValidator;
 import org.springframework.web.context.WebApplicationContext;
 import org.springframework.web.context.support.WebApplicationContextUtils;
 
@@ -111,7 +112,6 @@
 		 * Response is sent in another thread and if UserDTO is not present in session when browser completes
 		 * redirect, it results in error. Winning this race is the easiest option.
 		 */
-
 		String login = request.getParameter("j_username");
 		if (StringUtils.isBlank(login)) {
 		    SsoHandler.clearLoginSessionAttributes(session);
@@ -154,6 +154,16 @@
 
 		//bypass 2FA if using Login-as
 		boolean isPasswordToken = password.startsWith("#LAMS");
+		if (!isPasswordToken) {
+		    // check for CSRF attack only for regular logins
+		    // for LoginAs and integrations existing HTTP session gets invalidated and so is the CSRF token
+		    CsrfValidator csrfValidator = new CsrfValidator();
+		    boolean isCsrfValid = csrfValidator.isValid(request, response);
+		    if (!isCsrfValid) {
+			throw new SecurityException("Login page does not have a valid CSRF token");
+		    }
+		}
+
 		boolean isUsingLoginAsFeature = isPasswordToken && StringUtils.equals(redirectURL, "/lams/index.jsp");
 
 		// if user is not yet authorized and has 2FA shared secret set up - redirect him to
@@ -247,7 +257,7 @@
 
 		    if (failedAttempts >= failedAttemptsConfig) {
 			Integer lockOutTimeConfig = Configuration.getAsInt(ConfigurationKeys.LOCK_OUT_TIME);
-			Long lockOutTimeMillis = lockOutTimeConfig * 60L * 1000;
+			long lockOutTimeMillis = lockOutTimeConfig * 60L * 1000;
 			Long currentTimeMillis = System.currentTimeMillis();
 			Date date = new Date(currentTimeMillis + lockOutTimeMillis);
 			user.setLockOutTime(date);