diff --git a/UI/MailerUI/UIxMailAccountActions.m b/UI/MailerUI/UIxMailAccountActions.m
@@ -1,6 +1,6 @@
 /* UIxMailAccountActions.m - this file is part of SOGo
  *
- * Copyright (C) 2007-2014 Inverse inc.
+ * Copyright (C) 2007-2016 Inverse inc.
  *
  * This file is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -34,8 +34,6 @@
 #import <SOGo/SOGoDomainDefaults.h>
 #import <SOGo/SOGoUser.h>
 
-#import "../Common/WODirectAction+SOGo.h"
-
 #import "UIxMailAccountActions.h"
 
 @implementation UIxMailAccountActions

diff --git a/UI/MailerUI/UIxMailActions.h b/UI/MailerUI/UIxMailActions.h
@@ -1,6 +1,6 @@
 /* UIxMailActions.h - this file is part of SOGo
  *
- * Copyright (C) 2007-2013 Inverse inc.
+ * Copyright (C) 2007-2016 Inverse inc.
  *
  * This file is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -21,8 +21,9 @@
 #ifndef UIXMAILACTIONS_H
 #define UIXMAILACTIONS_H
 
+#import <UI/Common/SOGoDirectAction.h>
 
-@interface UIxMailActions : WODirectAction
+@interface UIxMailActions : SOGoDirectAction
 @end
 
 #endif /* UIXMAILACTIONS_H */
diff --git a/UI/MailerUI/UIxMailActions.m b/UI/MailerUI/UIxMailActions.m
@@ -37,8 +37,6 @@
 #import <SoObjects/SOGo/SOGoUserSettings.h>
 #import <SoObjects/SOGo/SOGoUserDefaults.h>
 
-#import "../Common/WODirectAction+SOGo.h"
-
 #import "UIxMailActions.h"
 
 @implementation UIxMailActions

diff --git a/UI/MailerUI/UIxMailFolderActions.h b/UI/MailerUI/UIxMailFolderActions.h
@@ -21,10 +21,11 @@
 #ifndef UIXMAILFOLDERACTIONS_H
 #define UIXMAILFOLDERACTIONS_H
 
+#import <UI/Common/SOGoDirectAction.h>
 
 @class WOResponse;
 
-@interface UIxMailFolderActions : WODirectAction
+@interface UIxMailFolderActions : SOGoDirectAction
 
 - (id <WOActionResults>) createFolderAction;
 - (WOResponse *) renameFolderAction;

diff --git a/UI/MailerUI/UIxMailFolderActions.m b/UI/MailerUI/UIxMailFolderActions.m
@@ -38,8 +38,6 @@
 #import <SOGo/SOGoUser.h>
 #import <SOGo/SOGoUserSettings.h>
 
-#import <UI/Common/WODirectAction+SOGo.h>
-
 #import "UIxMailFolderActions.h"
 
 @implementation UIxMailFolderActions
@@ -225,7 +223,6 @@ - (WOResponse *) deleteAction
   SOGoUserSettings *us;
   WOResponse *response;
   NSException *error;
-
   BOOL moved;
 
   co = [self clientObject];
@@ -380,20 +377,20 @@ - (WOResponse *) saveMessagesAction
   response = nil;
 
   if ([value length] > 0)
-  {
-    uids = [value componentsSeparatedByString: @","];
-    response = [co archiveUIDs: uids
-                inArchiveNamed: [self labelForKey: @"Saved Messages.zip" inContext: context]
-                     inContext: context];
-    if (!response)
-      response = [self responseWith204];
-  }
+    {
+      uids = [value componentsSeparatedByString: @","];
+      response = [co archiveUIDs: uids
+                  inArchiveNamed: [self labelForKey: @"Saved Messages.zip" inContext: context]
+                       inContext: context];
+      if (!response)
+        response = [self responseWith204];
+    }
   else
-  {
-    jsonResponse = [NSDictionary dictionaryWithObject: [self labelForKey: @"Missing 'uid' parameter." inContext: context]
-                                               forKey: @"message"];
-    response = [self responseWithStatus: 500 andJSONRepresentation: jsonResponse];
-  }
+    {
+      jsonResponse = [NSDictionary dictionaryWithObject: [self labelForKey: @"Missing 'uid' parameter." inContext: context]
+                                                 forKey: @"message"];
+      response = [self responseWithStatus: 500 andJSONRepresentation: jsonResponse];
+    }
 
   return response;
 }

diff --git a/UI/MailerUI/UIxMailListActions.h b/UI/MailerUI/UIxMailListActions.h
@@ -1,6 +1,5 @@
 /*
-  Copyright (C) 2004-2005 SKYRIX Software AG
-  Copyright (C) 2004-2014 Inverse inc
+  Copyright (C) 2004-2016 Inverse inc
 
   This file is part of SOGo.
 
@@ -23,13 +22,14 @@
 #ifndef UIXMAILLISTACTIONS_H
 #define UIXMAILLISTACTIONS_H
 
-
 @class NSDictionary;
 @class EOQualifier;
 @class SOGoDateFormatter;
 @class UIxMailSizeFormatter;
 
-@interface UIxMailListActions : WODirectAction
+#import <UI/Common/SOGoDirectAction.h>
+
+@interface UIxMailListActions : SOGoDirectAction
 {
   NSArray *sortedUIDs; /* we always need to retrieve all anyway! */
   NSArray *messages;

diff --git a/UI/MailerUI/UIxMailListActions.m b/UI/MailerUI/UIxMailListActions.m
@@ -58,7 +58,6 @@
 #import <SOGo/SOGoUserSettings.h>
 #import <SOGo/WOResourceManager+SOGo.h>
 
-#import <UI/Common/WODirectAction+SOGo.h>
 #import <UI/MailPartViewers/UIxMailSizeFormatter.h>
 
 #import "WOContext+UIxMailer.h"

diff --git a/UI/MailerUI/UIxMailSourceView.h b/UI/MailerUI/UIxMailSourceView.h
@@ -1,6 +1,6 @@
 /* UIxMailSourceView.h - this file is part of SOGo
  *
- * Copyright (C) 2007-2015 Inverse inc.
+ * Copyright (C) 2007-2016 Inverse inc.
  *
  * This file is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -21,8 +21,9 @@
 #ifndef UIXMAILSOURCEVIEW_H
 #define UIXMAILSOURCEVIEW_H
 
+#import <UI/Common/SOGoDirectAction.h>
 
-@interface UIxMailSourceView : WODirectAction
+@interface UIxMailSourceView : SOGoDirectAction
 
 @end
 

diff --git a/UI/MailerUI/UIxMailSourceView.m b/UI/MailerUI/UIxMailSourceView.m
@@ -1,6 +1,6 @@
 /* UIxMailSourceView.m - this file is part of SOGo
  *
- * Copyright (C) 2007-2015 Inverse inc.
+ * Copyright (C) 2007-2016 Inverse inc.
  *
  * This file is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -23,8 +23,6 @@
 
 #import <SoObjects/Mailer/SOGoMailObject.h>
 
-#import <UI/Common/WODirectAction+SOGo.h>
-
 #import "UIxMailSourceView.h"
 
 @implementation UIxMailSourceView

diff --git a/UI/MainUI/SOGoMicrosoftActiveSyncActions.m b/UI/MainUI/SOGoMicrosoftActiveSyncActions.m
@@ -1,5 +1,5 @@
 /*
-  Copyright (C) 2014 Inverse inc. 
+  Copyright (C) 2014-2016 Inverse inc.
 
   This file is part of SOGo.
 
@@ -23,10 +23,11 @@
 #import <SOGo/SOGoCache.h>
 #import <SOGo/NSObject+Utilities.h>
 
-#import <NGObjWeb/NSException+HTTP.h>
 #import <NGObjWeb/WOContext.h>
+#import <NGObjWeb/WODirectAction.h>
+#import <NGObjWeb/NSException+HTTP.h>
+#import <NGObjWeb/WOResponse.h>
 
-#import <Common/WODirectAction+SOGo.h>
 #import <ActiveSync/SOGoActiveSyncDispatcher.h>
 
 @interface SOGoMicrosoftActiveSyncActions : WODirectAction
@@ -47,7 +48,9 @@ - (WOResponse *) microsoftServerActiveSyncAction
   Class clazz;
 
   request = (WORequest *)[context request];
-  response = [self responseWithStatus: 200];
+  response = [context response];
+  [response setStatus: 200];
+  [response setHeader: @"text/plain; charset=utf-8"  forKey: @"content-type"];
 
   bundle = [NSBundle bundleForClass: NSClassFromString(@"ActiveSyncProduct")];
   clazz = [bundle classNamed: @"SOGoActiveSyncDispatcher"];

diff --git a/UI/MainUI/SOGoRootPage.m b/UI/MainUI/SOGoRootPage.m
@@ -36,6 +36,7 @@
 
 #import <Appointments/SOGoAppointmentFolders.h>
 
+#import <SOGo/NSString+Crypto.h>
 #import <SOGo/NSString+Utilities.h>
 #import <SOGo/SOGoBuild.h>
 #import <SOGo/SOGoCache.h>
@@ -170,14 +171,14 @@ - (WOResponse *) _responseWithLDAPPolicyError: (int) error
 {
   WOResponse *response;
   WORequest *request;
-  WOCookie *authCookie;
+  WOCookie *authCookie, *xsrfCookie;
   SOGoWebAuthenticator *auth;
   SOGoAppointmentFolders *calendars;
   SOGoUserDefaults *ud;
   SOGoUser *loggedInUser;
   NSDictionary *params;
   NSString *username, *password, *language, *domain, *remoteHost;
-  NSArray *supportedLanguages;
+  NSArray *supportedLanguages, *creds;
 
   SOGoPasswordPolicyError err;
   int expire, grace;
@@ -232,6 +233,13 @@ - (WOResponse *) _responseWithLDAPPolicyError: (int) error
                                   inContext: context];
       [response addCookie: authCookie];
 
+      // We prepare the XSRF protection cookie
+      creds = [auth parseCredentials: [authCookie value]];
+      xsrfCookie = [WOCookie cookieWithName: @"XSRF-TOKEN"
+                                      value: [[SOGoSession valueForSessionKey: [creds lastObject]] asSHA1String]];
+      [xsrfCookie setPath: [NSString stringWithFormat: @"/%@/", [[context request] applicationName]]];
+      [response addCookie: xsrfCookie];
+
       supportedLanguages = [[SOGoSystemDefaults sharedSystemDefaults]
                              supportedLanguages];
       loggedInUser = [SOGoUser userWithLogin: username];
@@ -540,8 +548,8 @@ - (NSString *) version
 - (WOResponse *) changePasswordAction
 {
   NSString *username, *domain, *password, *newPassword, *value;
+  WOCookie *authCookie, *xsrfCookie;
   NSDictionary *message;
-  WOCookie *authCookie;
   NSArray *creds;
   SOGoUserManager *um;
   SOGoPasswordPolicyError error;
@@ -592,6 +600,12 @@ - (WOResponse *) changePasswordAction
                                 andPassword: newPassword
                                   inContext: context];
       [response addCookie: authCookie];
+
+      // We update the XSRF protection cookie
+      creds = [auth parseCredentials: [authCookie value]];
+      xsrfCookie = [WOCookie cookieWithName: @"XSRF-TOKEN"
+                                      value: [[SOGoSession valueForSessionKey: [creds lastObject]] asSHA1String]];
+      [response addCookie: xsrfCookie];
     }
   else
     response = [self _responseWithLDAPPolicyError: error];

diff --git a/UI/MainUI/SOGoUserHomePage.m b/UI/MainUI/SOGoUserHomePage.m
@@ -455,8 +455,8 @@ - (WOCookie *) _logoutCookieWithDate: (NSCalendarDate *) date
 
 - (id <WOActionResults>) logoffAction
 {
-  SOGoWebAuthenticator *auth;
   NSString *userName, *value;
+  SOGoWebAuthenticator *auth;
   WOResponse *response;
   NSCalendarDate *date;
   WOCookie *cookie;
@@ -486,6 +486,12 @@ - (WOCookie *) _logoutCookieWithDate: (NSCalendarDate *) date
   if (cookie)
     [response addCookie: cookie];
 
+  // We remove the XSRF cookie
+  cookie = [WOCookie cookieWithName: @"XSRF-TOKEN"  value: @"discard"];
+  [cookie setPath: [NSString stringWithFormat: @"/%@/", [[context request] applicationName]]];
+  [cookie setExpires: [date yesterday]];
+  [response addCookie: cookie];
+
   [response setHeader: [date rfc822DateString] forKey: @"Last-Modified"];
   [response setHeader: @"no-store, no-cache, must-revalidate,"
             @" max-age=0, post-check=0, pre-check=0"

diff --git a/UI/PreferencesUI/UIxJSONPreferences.h b/UI/PreferencesUI/UIxJSONPreferences.h
@@ -1,6 +1,6 @@
 /* UIxJSONPreferences.h - this file is part of SOGo
  *
- * Copyright (C) 2007-2015 Inverse inc.
+ * Copyright (C) 2007-2016 Inverse inc.
  *
  * This file is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -21,8 +21,9 @@
 #ifndef UIXJSONPREFERENCES_H
 #define UIXJSONPREFERENCES_H
 
+#import <UI/Common/SOGoDirectAction.h>
 
-@interface UIxJSONPreferences : WODirectAction
+@interface UIxJSONPreferences : SOGoDirectAction
 
 @end
 

diff --git a/UI/PreferencesUI/UIxJSONPreferences.m b/UI/PreferencesUI/UIxJSONPreferences.m
@@ -35,8 +35,6 @@
 #import <SOGo/WOResourceManager+SOGo.h>
 #import <Mailer/SOGoMailLabel.h>
 
-#import <UI/Common/WODirectAction+SOGo.h>
-
 #import "UIxJSONPreferences.h"
 
 static SoProduct *preferencesProduct = nil;

diff --git a/UI/SOGoUI/UIxComponent.m b/UI/SOGoUI/UIxComponent.m
@@ -34,11 +34,14 @@
 #import <SOGo/NSCalendarDate+SOGo.h>
 #import <SOGo/NSDictionary+Utilities.h>
 #import <SOGo/NSObject+Utilities.h>
+#import <SOGo/NSString+Crypto.h>
 #import <SOGo/NSString+Utilities.h>
 #import <SOGo/SOGoBuild.h>
+#import <SOGo/SOGoSession.h>
 #import <SOGo/SOGoSystemDefaults.h>
 #import <SOGo/SOGoUser.h>
 #import <SOGo/SOGoUserFolder.h>
+#import <SOGo/SOGoWebAuthenticator.h>
 #import <SOGo/WOContext+SOGo.h>
 #import <SOGo/WOResourceManager+SOGo.h>
 
@@ -763,4 +766,42 @@ - (BOOL) isUIxDebugEnabled
   return [sd uixDebugEnabled];
 }
 
+//
+// Protection against XSRF
+//
+- (id<WOActionResults>)performActionNamed:(NSString *)_actionName
+{
+  SOGoWebAuthenticator *auth;
+  NSString *value, *token;
+  NSArray *creds;
+
+  if (![[SOGoSystemDefaults sharedSystemDefaults] xsrfValidationEnabled])
+    return [super performActionNamed: _actionName];
+
+  // If the action is 'connect' (or 'logoff'), we let it go as the token
+  // needs to be created (or destroyed) during the session initialization
+  if ([_actionName isEqualToString: @"connect"] ||
+      [_actionName isEqualToString: @"logoff"])
+    {
+      return [super performActionNamed: _actionName];
+    }
+
+  // We grab the X-XSRF-TOKEN header
+  token = [[context request] headerForKey: @"X-XSRF-TOKEN"];
+
+  // We compare it with our session key
+  auth = [[WOApplication application]
+           authenticatorInContext: context];
+  value = [[context request]
+           cookieValueForKey: [auth cookieNameInContext: context]];
+  creds = [auth parseCredentials: value];
+
+  value = [SOGoSession valueForSessionKey: [creds lastObject]];
+
+  if ([token isEqualToString: [value asSHA1String]])
+    return [super performActionNamed: _actionName];
+
+  return nil;
+}
+
 @end /* UIxComponent */
diff --git a/UI/Scheduler/UIxAppointmentActions.h b/UI/Scheduler/UIxAppointmentActions.h
@@ -21,8 +21,9 @@
 #ifndef UIXAPPOINTMENTACTIONS_H
 #define UIXAPPOINTMENTACTIONS_H
 
+#import <Common/SOGoDirectAction.h>
 
-@interface UIxAppointmentActions : WODirectAction
+@interface UIxAppointmentActions : SOGoDirectAction
 
 @end
 

diff --git a/UI/Scheduler/UIxAppointmentActions.m b/UI/Scheduler/UIxAppointmentActions.m
@@ -40,8 +40,6 @@
 #import <Appointments/SOGoAppointmentFolder.h>
 #import <Appointments/SOGoAppointmentFolders.h>
 
-#import <Common/WODirectAction+SOGo.h>
-
 #import "UIxAppointmentActions.h"
 
 @implementation UIxAppointmentActions

diff --git a/UI/Scheduler/UIxCalListingActions.h b/UI/Scheduler/UIxCalListingActions.h
@@ -1,6 +1,6 @@
 /* UIxCalListingActions.h - this file is part of SOGo
  *
- * Copyright (C) 2006-2015 Inverse inc.
+ * Copyright (C) 2006-2016 Inverse inc.
  *
  * This file is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -21,7 +21,7 @@
 #ifndef UIXCALLISTINGACTIONVIEW_H
 #define UIXCALLISTINGACTIONVIEW_H
 
-#import <Common/WODirectAction+SOGo.h>
+#import <Common/SOGoDirectAction.h>
 
 @class NSCalendarDate;
 @class NSMutableDictionary;
@@ -33,7 +33,7 @@
 @class WOResponse;
 @class WORequest;
 
-@interface UIxCalListingActions : WODirectAction
+@interface UIxCalListingActions : SOGoDirectAction
 {
   NSMutableDictionary *componentsData;
   NSCalendarDate *startDate;

diff --git a/UI/Scheduler/UIxCalListingActions.m b/UI/Scheduler/UIxCalListingActions.m
@@ -47,8 +47,6 @@
 #import <Appointments/SOGoAppointmentFolders.h>
 #import <Appointments/SOGoWebAppointmentFolder.h>
 
-#import <UI/Common/WODirectAction+SOGo.h>
-
 #import "NSArray+Scheduler.h"
 
 #import "UIxCalListingActions.h"
@@ -638,7 +636,7 @@ - (WOResponse *) alarmsListAction
   NSDictionary *data;
   NSEnumerator *folders;
   unsigned int browserTime, laterTime;
-  
+
   // We look for alarms in the next 48 hours
   browserTime = [[[context request] formValueForKey: @"browserTime"] intValue];
   laterTime = browserTime + 60*60*48;
@@ -779,7 +777,7 @@ - (WOResponse *) eventsListAction
   unsigned int interval;
   BOOL isAllDay;
   NSString *sort, *ascending;
-  
+
   [self _setupContext];
   [self saveFilterValue: @"EventsFilterState"];
   [self saveSortValue: @"EventsSortingState"];
@@ -1317,7 +1315,7 @@ - (WOResponse *) eventsBlocksAction
   NSString *calendarName, *calendarId;
   BOOL isAllDay;
   int i, j;
-  
+
   [self _setupContext];
 
   events = [self _fetchFields: eventsFields forComponentOfType: @"vevent"];
@@ -1486,7 +1484,7 @@ - (WOResponse *) tasksListAction
   int statusCode;
   int startSecs;
   int endsSecs;
-  
+
   filteredTasks = [NSMutableArray array];
 
   [self _setupContext];
@@ -1573,9 +1571,8 @@ - (WOResponse *) activeTasksAction
   SOGoAppointmentFolder *folder;
   SOGoAppointmentFolders *co;
   NSArray *folders;
-
   int i;
-  
+
   co = [self clientObject];
   folders = [co subFolders];
   activeTasksByCalendars = [NSMutableDictionary dictionaryWithCapacity: [folders count]];

diff --git a/UI/Scheduler/UIxCalMainActions.h b/UI/Scheduler/UIxCalMainActions.h
@@ -1,6 +1,6 @@
 /* UIxCalMainActions.h - this file is part of SOGo
  *
- * Copyright (C) 2009-2013 Inverse inc.
+ * Copyright (C) 2009-2016 Inverse inc.
  *
  * This file is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -21,9 +21,9 @@
 #ifndef UIXCALMAINACTIONS_H
 #define UIXCALMAINACTIONS_H
 
-#import <Common/WODirectAction+SOGo.h>
+#import <Common/SOGoDirectAction.h>
 
-@interface UIxCalMainActions : WODirectAction
+@interface UIxCalMainActions : SOGoDirectAction
 
 @end
 

diff --git a/UI/Scheduler/UIxCalMainActions.m b/UI/Scheduler/UIxCalMainActions.m
@@ -1,6 +1,6 @@
 /* UIxCalMainActions.m - this file is part of SOGo
  *
- * Copyright (C) 2009-2015 Inverse inc.
+ * Copyright (C) 2009-2016 Inverse inc.
  *
  * This file is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by

diff --git a/UI/WebServerResources/js/Common/Authentication.service.js b/UI/WebServerResources/js/Common/Authentication.service.js
@@ -151,11 +151,17 @@
 
         changePassword: function(newPassword) {
           var d = $q.defer(),
-              loginCookie = readLoginCookie();
+              loginCookie = readLoginCookie(),
+              xsrfCookie = $cookies.get('XSRF-TOKEN');
+
+          $cookies.remove('XSRF-TOKEN', {path: '/SOGo/'});
 
           $http({
             method: 'POST',
             url: '/SOGo/so/changePassword',
+            headers: {
+              'X-XSRF-TOKEN' : xsrfCookie
+            },
             data: {
               userName: loginCookie[0],
               password: loginCookie[1],
@@ -186,6 +192,8 @@
               perr = passwordPolicyConfig.PolicyPasswordUnknown;
             }
 
+            // Restore the cookie
+            $cookies.put('XSRF-TOKEN', xsrfCookie, {path: '/SOGo/'});
             d.reject(error);
           });
           return d.promise;