diff --git a/app/home/c/UserController.php b/app/home/c/UserController.php
index 12b6aa0..f2ef9dd 100644
--- a/app/home/c/UserController.php
+++ b/app/home/c/UserController.php
@@ -62,6 +62,12 @@ function userinfo(){
 		$this->checklogin();
 		if($_POST){
 			$w = $this->frparam();
+            if(!isset($w['csrfkey']) || $w['csrfkey']!=$_SESSION['csrfkey']){
+                if($this->frparam('ajax')){
+                    JsonReturn(['code'=>1,'msg'=>JZLANG('非法操作！')]);
+                }
+                Error(JZLANG('非法操作！'));
+            }
 			$w = get_fields_data($w,'member',0);
 			unset($w['jifen']);
 			unset($w['money']);
@@ -167,7 +173,8 @@ function userinfo(){
 			Error(JZLANG('修改成功！'));
 			
 		}
-		
+        $_SESSION['csrfkey'] = getRandChar(32);
+        $this->csrfkey = $_SESSION['csrfkey'];
 		$this->display($this->template.'/user/userinfo');
        
     }
diff --git a/static/cms/user/userinfo.html b/static/cms/user/userinfo.html
index 9e032d0..f7c6a38 100644
--- a/static/cms/user/userinfo.html
+++ b/static/cms/user/userinfo.html
@@ -19,6 +19,7 @@
       <div class="user-content">
         <h2>资料与账号</h2>
         <form action="" method="POST" onsubmit="return checkform()" id="jizhiform" class="user-form">
+          <input type="hidden" name="csrfkey" value="{$csrfkey}">
           <span id="fields_ext"></span>
           <div class="form-control">
             <label for="password">新密码：</label>