diff --git a/class2.php b/class2.php
index 507116938..61c5942c2 100644
--- a/class2.php
+++ b/class2.php
@@ -580,11 +580,11 @@ if(isset($pref['lan_global_list']))
 
 $sql->db_Mark_Time('Start: CHAP challenge');
 
-
+$die = (e_AJAX_REQUEST == true) ? false : true; // prevent json breakage. 
 e107::getSession()
 	->challenge() // Make sure there is a unique challenge string for CHAP login
-	->check(); // Token protection
-
+	->check($die); // Token protection
+unset($die);
 	
 //
 // N: misc setups: online user tracking, cache
diff --git a/e107_handlers/admin_log_class.php b/e107_handlers/admin_log_class.php
index 2fa992824..8f703bb4e 100644
--- a/e107_handlers/admin_log_class.php
+++ b/e107_handlers/admin_log_class.php
@@ -715,12 +715,14 @@ class e_admin_log
 	 * @param string Title for use inside the Log file
 	 * @param boolean true = append to file, false = new file each save. 
 	 */
-	public function toFile($name,$logTitle='',$append=false)
+	public function toFile($name, $logTitle='',$append=false)
 	{
-		
+
 		$this->logFile	= $name;
-		$this->saveToFile($logTitle,$append);
+		$file = $this->saveToFile($logTitle,$append);
+
 		$this->logFile = null;
+		return $file;
 	}
 
 
diff --git a/e107_handlers/session_handler.php b/e107_handlers/session_handler.php
index 2d2b73c8a..61fdce901 100644
--- a/e107_handlers/session_handler.php
+++ b/e107_handlers/session_handler.php
@@ -820,6 +820,7 @@ class e_core_session extends e_session
 		$this->end();
 	}
 
+
 	/**
 	 * Core CSF protection, see class2.php
 	 * Could be adopted by plugins for their own (different) protection logic
@@ -837,32 +838,45 @@ class e_core_session extends e_session
 		if($this->getSessionId())
 		{
 			if((isset($_POST['e-token']) && !$this->checkFormToken($_POST['e-token']))
-			|| (isset($_GET['e-token']) && !$this->checkFormToken($_GET['e-token'])))
+			|| (isset($_GET['e-token']) && !$this->checkFormToken($_GET['e-token']))
+			|| (isset($_POST['e_token']) && !$this->checkFormToken($_POST['e_token']))) // '-' is not allowed in jquery. b
 			{
 			//	if(defsettrue('e_DEBUG'))
 				{
 					$details = "USER: ".USERNAME."\n";		
 					$details = "HOST: ".$_SERVER['HTTP_HOST']."\n";
 					$details .= "REQUEST_URI: ".$_SERVER['REQUEST_URI']."\n";
-					$details .= "e-token (POST): ".$_POST['e-token']."\n";
-					$details .= "e-token (GET): ".$_GET['e-token']."\n";						
+					$details .= ($_POST['e-token']) ? "e-token (POST): ".$_POST['e-token']."\n" : "";
+					$details .= ($_GET['e-token']) ? "e-token (GET): ".$_GET['e-token']."\n" : "";	
+					$details .= ($_POST['e_token']) ? "AJAX e_token (POST): ".$_POST['e_token']."\n" : "";
+				
 					$details .= "_SESSION:\n";
 					$details .= print_r($_SESSION,true);
 				//	$details .= "\n_POST:\n";
 				//	$details .= print_r($_POST,true);
 				//	$details .= "\n_GET:\n";
 				//	$details .= print_r($_GET,true);
-					$details .= "\nPlugins:\n";
-					$details .= print_r($pref['plug_installed'],true);
+					if($pref['plug_installed'])
+					{
+						$details .= "\nPlugins:\n";
+						$details .= print_r($pref['plug_installed'],true);
+					}
 					
+					$details .= "die = ".($die == true ? 'true' : 'false')."\n\n---------------------------------\n\n";
+				
 					$log = e107::getAdminLog();		
 					$log->addDebug($details);			
 					$log->toFile('Unauthorized_access','Unauthorized access Log', true);
 					$log->add('Unauthorized access!', $details, E_LOG_FATAL);	
 					// e107::getAdminLog()->log_event('Unauthorized access!', $details, E_LOG_FATAL);				
 				}	
+
 				// do not redirect, prevent dead loop, save server resources
-				if($die) die('Unauthorized access!');
+				if($die == true)
+				{
+					 die('Unauthorized access!');
+				}
+				
 				return false;
 			}
 		}
@@ -883,8 +897,21 @@ class e_core_session extends e_session
 			}
 			define('e_TOKEN', $this->getFormToken());
 		}
+		
 		return true;
 	}
+
+
+	
+	/**
+	 * Manually Reset the Token. 
+	 * @see e107forum::ajaxQuickReply();
+	 */
+	public function reset()
+	{
+		$this->_regenerateFormToken()->clear('__form_token_regenerate');
+	}
+	
 	
 	/**
 	 * Make sure there is unique challenge string for CHAP login
diff --git a/e107_plugins/forum/forum_class.php b/e107_plugins/forum/forum_class.php
index d867129d2..b114df87f 100644
--- a/e107_plugins/forum/forum_class.php
+++ b/e107_plugins/forum/forum_class.php
@@ -27,7 +27,7 @@ $(document).ready(function()
 		var post 	= $(this).attr('data-forum-post');		
 		var text 	= $('#forum-quickreply-text').val();
 		var insert	= $(this).attr('data-forum-insert');
-		
+		var token	= $(this).attr('data-token');
 		
 		
 		if(action != 'stick' && action !='unstick')
@@ -40,8 +40,9 @@ $(document).ready(function()
 		$.ajax({
 			type: "POST",
 			url: script,
-			data: { thread: thread, action: action, post: post, text: text, insert:insert },
+			data: { thread: thread, action: action, post: post, text: text, insert:insert, e_token: token },
 			success: function(data) {
+			  		
 			  	//	 alert(data); 	
 			  	
 				var d = $.parseJSON(data);
@@ -189,6 +190,16 @@ class e107forum
 	function ajaxQuickReply()
 	{
 		$tp = e107::getParser();
+				
+		if(!e107::getSession()->check(false))
+		{
+			//$ret['status'] = 'ok';
+		//	$ret['msg'] = "Token Error";
+
+		//	echo json_encode($ret);  
+			
+			exit;
+		}
 
 		if(varset($_POST['action']) == 'quickreply' && vartrue($_POST['text']))
 		{		
@@ -223,7 +234,7 @@ class e107forum
 					$tmpl = e107::getTemplate('forum','forum_viewtopic','replies');
 					$sc  = e107::getScBatch('view', 'forum');
 					$sc->setScVar('postInfo', $postInfo);
-					$ret['html'] = $tp->parseTemplate($tmpl, true, vartrue($forum_shortcodes)) . "\n";
+					$ret['html'] = $tp->parseTemplate($tmpl, true, $sc) . "\n";
 				}
 				else 
 				{
@@ -237,6 +248,7 @@ class e107forum
 			 echo json_encode($ret);  
 		}	
 
+		e107::getSession()->reset();
 		exit;
 
 	}
@@ -246,6 +258,12 @@ class e107forum
 	
 	function ajaxModerate()
 	{
+		
+		if(!ADMIN) //FIXME check permissions per forum. 
+		{
+			exit; 	
+		}
+		
 			if(!vartrue($_POST['thread']) && !vartrue($_POST['post']))
 			{
 				exit;	
diff --git a/e107_plugins/forum/forum_viewtopic.php b/e107_plugins/forum/forum_viewtopic.php
index 2b6c19bfe..564b0627d 100644
--- a/e107_plugins/forum/forum_viewtopic.php
+++ b/e107_plugins/forum/forum_viewtopic.php
@@ -376,16 +376,18 @@ if ($forum->checkPerm($thread->threadInfo['thread_forum_id'], 'post') && $thread
 		$ajaxInsert = ($thread->pages == $thread->page || $thread->pages == 0) ? 1 : 0;
 		
 	//	echo "AJAX-INSERT=".$ajaxInsert ."(".$thread->pages." vs ".$thread->page.")";
+		$frm = e107::getForm();
 		
 		$tVars->QUICKREPLY = "
 		<form action='" . $e107->url->create('forum/thread/reply', array('id' => $thread->threadId)) . "' method='post'>
 		<textarea cols='80' placeholder='".LAN_FORUM_2007."' rows='4' id='forum-quickreply-text' class='tbox input-xxlarge' name='post' onselect='storeCaret(this);' onclick='storeCaret(this);' onkeyup='storeCaret(this);'></textarea>
 		<div class='center'>
-		<input type='submit' data-forum-insert='".$ajaxInsert."' data-forum-post='".$thread->threadInfo['thread_forum_id']."' data-forum-thread='".$threadId."' data-forum-action='quickreply' name='reply' value='".LAN_FORUM_2006. "' class='btn btn-success button' />
+		<input type='submit' data-token='".e_TOKEN."' data-forum-insert='".$ajaxInsert."' data-forum-post='".$thread->threadInfo['thread_forum_id']."' data-forum-thread='".$threadId."' data-forum-action='quickreply' name='reply' value='".LAN_FORUM_2006. "' class='btn btn-success button' />
 		<input type='hidden' name='thread_id' value='$thread_parent' />
+		
 		</div>
 		</form>";
-		
+				
 		// Preview should be reserved for the full 'Post reply' page. <input type='submit' name='fpreview' value='" . Preview . "' class='btn button' /> &nbsp;
 	}
 	else