diff --git a/course/mod.php b/course/mod.php
index 2cca5c73044..3247db4ef5f 100644
--- a/course/mod.php
+++ b/course/mod.php
@@ -78,7 +78,7 @@ if (!empty($add)) {
     $returntomod = optional_param('return', 0, PARAM_BOOL);
     redirect("$CFG->wwwroot/course/modedit.php?update=$update&return=$returntomod&sr=$sectionreturn");
 
-} else if (!empty($duplicate)) {
+} else if (!empty($duplicate) and confirm_sesskey()) {
      $cm     = get_coursemodule_from_id('', $duplicate, 0, true, MUST_EXIST);
      $course = $DB->get_record('course', array('id' => $cm->course), '*', MUST_EXIST);
 
diff --git a/course/modduplicate.php b/course/modduplicate.php
index ae7527370e9..81eefa60665 100644
--- a/course/modduplicate.php
+++ b/course/modduplicate.php
@@ -31,9 +31,11 @@
 require_once(dirname(dirname(__FILE__)) . '/config.php');
 
 $cmid           = required_param('cmid', PARAM_INT);
-$courseid       = optional_param('course', PARAM_INT);
+$courseid       = required_param('course', PARAM_INT);
 $sectionreturn  = optional_param('sr', null, PARAM_INT);
 
+require_sesskey();
+
 debugging('Please use moodle_url(\'/course/mod.php\', array(\'duplicate\' => $cmid
     , \'id\' => $courseid, \'sesskey\' => sesskey(), \'sr\' => $sectionreturn)))
     instead of new moodle_url(\'/course/modduplicate.php\', array(\'cmid\' => $cmid