LoginForm no longer disables CSRF protection. This may cause regressions on sites that statically publish pages with login forms or other changes. To re-enable this, you'll need to use the Injector to create a custom login form.

Define a login form:

class CustomLoginForm extends MemberLoginForm {

	public function __construct($controller, $name, $fields = null, $actions = null, $checkCurrentUser = true)
		parent::__construct($controller, $name, $fields, $actions, $checkCurrentUser);



Add this to mysite/_config/config.yml

    class: CustomLoginForm

Change Log


  • 2016-04-18 3c0f2e8 Add CSFR protection to tree reorganise (Daniel Hensby) - See ss-2015-029
  • 2016-04-18 a24c826 Store current page IDs as ints (Daniel Hensby) - See ss-2016-004
  • 2016-04-18 1ccd392 Properly check backurl on CMSSecurity@success (Daniel Hensby) - See ss-2016-001
  • 2016-04-18 f32c893 Apply brute force protection to default admin (Daniel Hensby) - See ss-2016-005
  • 2016-04-18 a6bd22a dont disable XSS for login forms (Daniel Hensby) - See ss-2016-006


  • 2016-05-01 2a5ba39 Fix SS_HTTPResponse being cast as string (#5413) (Damian Mooyman)
  • 2016-04-24 fde6376 Admin bloacklisted messages using correct $.inArray check (Daniel Hensby)
  • 2016-04-12 36283b8 Stop "success" message showing in CMS (Daniel Hensby)
  • 2016-04-11 707aa14 for #5299 Adding <code> blocks to Injector documentation. (Patrick Nelson)
  • 2016-04-07 000bf09 for #1447 to ensure proper type-safe checking of file_put_contents() in ErrorPage->writeStaticPage() (Patrick Nelson)
  • 2016-04-01 9d9c572 for #5251 to address minor URL decoding/parsing bug. (Patrick Nelson)
  • 2016-03-31 6ec2656 fix ErrorControlChain causing errors to be displayed if display_errors in php.ini is false (Damian Mooyman)
  • 2016-03-28 aeb4aa9 Dont allow plain text friendly errors (Daniel Hensby)
  • 2016-03-27 5ede516 GridField::FieldHolder() should not attempt to parse shortcodes (fixes #5129) (Loz Calver)
  • 2016-03-21 9d62d9d Link tracking not escaping # Fixes #1409 (Daniel Hensby)
  • 2016-03-21 5f8356d Fix File::getRelativePath() failing if parent folder is renamed (Damian Mooyman)
  • 2016-03-20 283885f tab wrapping (Jonathon Menz)
  • 2016-03-18 ada1206 Autocomplete loading spinner now showing (Daniel Hensby)
  • 2016-03-18 add2ecd Parameter tokens now redirect to correct url if mod_rewrite is off (Daniel Hensby)
  • 2016-03-18 57cfe3c Bad joining of links in reports (Daniel Hensby)
  • 2016-03-10 bc31d9c Use Controller::join_links() in Reports (Daniel Hensby)
  • 2016-03-08 0364204 Incorrect title attribute on CMS tabs (Loz Calver)
  • 2016-03-07 aa57427 Don't install imagick on php 5.3 (Damian Mooyman)
  • 2016-03-07 86b1c8f file sync removes folders with dot in name (Jonathon Menz)
  • 2016-03-07 6a22454 Fix FulltextsearchEnable (Damian Mooyman)
  • 2016-03-01 2079844 fixes "Uncaught ImagickException: Can not process empty Imagick object" when deleting an image (Ryan McLaren)
  • 2016-03-01 817b836 getIP from behind a load-balancer that adds many IPs to the header (Daniel Hensby)
  • 2016-02-26 bd48d89 undeclared constant issue (Daniel Hensby)
  • 2016-02-26 c2a0e89 undeclared constant issue (Daniel Hensby)
  • 2016-02-26 99ca2aa Fix regressions in missing CSRF on print button (Damian Mooyman)
  • 2016-02-26 cc95703 Fix regressions in missing CSRF on print button (Damian Mooyman)
  • 2016-02-26 320c833 Fix regressions in missing CSRF on print button (Damian Mooyman)
  • 2016-02-25 f7cacca Fix regression in gridfield get actions (Damian Mooyman)
  • 2016-02-25 3dc0d0e Fix regression in gridfield get actions (Damian Mooyman)
  • 2016-02-25 b0ad86b Fix regression in gridfield get actions (Damian Mooyman)
  • 2016-02-22 65a0981 Correct behaviour of publish with $createNewVersion = true (Damian Mooyman)
  • 2016-02-16 644c807 Use correct formaction for doRollback exemption #1378 (Andrew Aitken-Fincham)
  • 2016-02-15 8771859 "where" method in SQLUpdate Example (Richard Rudy)
  • 2016-02-05 0c252af Fixed issue #5002 DatetimeField styles in the new filter panel (UndefinedOffset)
  • 2016-01-28 3fcf1e2 edge case on many many extra fields (fixes 4991) (Mark Stephens)
  • 2016-01-28 7226524 Fix invalid sv translation yml (Damian Mooyman)
  • 2016-01-27 3d0178e Use correct formaction for doRollback exemption (Damian Mooyman)
  • 2016-01-27 361c9a0 removing hardcoded target _blank for tinymce file links (Ben Manu)
  • 2016-01-24 d8e354d PHPDocs on DataList::getIDList() and UnsavedRelationList::getIDList() (Damian Mooyman)
  • 2015-01-08 adf0f10 Fixes CMS errors when viewing history on "Deleted" pages. (Russell Michell)