diff --git a/include/staff/header.inc.php b/include/staff/header.inc.php
index 2e3b647fc835f0931689a3ed8cb24c754fe01b03..251de2b4f8ec4cdd8822668b806bde81b6a7e57e 100644
--- a/include/staff/header.inc.php
+++ b/include/staff/header.inc.php
@@ -23,7 +23,6 @@
     if($ost && ($headers=$ost->getExtraHeaders())) {
         echo "\n\t".implode("\n\t", $headers)."\n";
     }
-    csrf_enable_ajax();
     ?>
 </head>
 <body onunload="">
@@ -37,7 +36,8 @@
             <?php }else{ ?>
             | <a href="index.php">Staff Panel</a>
             <?php } ?>
-            | <a href="profile.php">My Preferences</a> | <a href="logout.php">Log Out</a>
+            | <a href="profile.php">My Preferences</a> 
+            | <a href="logout.php?auth=<?php echo md5($ost->getCSRFToken().SECRET_SALT.session_id()); ?>">Log Out</a>
         </p>
     </div>
     <ul id="nav">
diff --git a/scp/logout.php b/scp/logout.php
index f167d5a876082b0628f1e64929626444f28a3bb0..8f3b980d5e86f65d2569ade250f3437b38c072bf 100644
--- a/scp/logout.php
+++ b/scp/logout.php
@@ -15,6 +15,10 @@
     vim: expandtab sw=4 ts=4 sts=4:
 **********************************************************************/
 require('staff.inc.php');
+//CSRF Check: Make sure the user actually clicked on the link to logout.
+if(!$_GET['auth'] || $_GET['auth']!=md5($ost->getCSRFToken().SECRET_SALT.session_id()))
+   @header('Location: index.php');
+
 $ost->logDebug('Staff logout',
         sprintf("%s logged out [%s]", 
             $thisstaff->getUserName(), $_SERVER['REMOTE_ADDR'])); //Debug.