diff --git a/bureau/class/config.php b/bureau/class/config.php
index 5e4e157f..27cc6508 100755
--- a/bureau/class/config.php
+++ b/bureau/class/config.php
@@ -178,6 +178,17 @@ if ((variable_get('force_https', '0', "This variable is set to 0 (default) if us
     }
 }
 
+// CHECK CSRF for ALL POSTS : 
+// you MUST add csrf_get(); after ALL <form method="post"> in AlternC !
+if (count($_POST)) {
+  if (csrf_check()<=0) {
+    $error=$err->errstr();
+    require_once("main.php");
+    exit();
+  }
+}
+
+
 /* Check the User identity (if required) */
 if (!defined('NOCHECK')) {
     if (!$mem->checkid()) {
@@ -209,17 +220,6 @@ if ($oldid && $oldid != $cuid) {
     $isinvited = true;
 }
 
-// CHECK CSRF for ALL POSTS : 
-// you MUST add    <?php csrf_get(); ?>  after ALL <form method="post" in AlternC !
-if (count($_POST)) {
-  if (csrf_check()<=0) {
-    $error=$err->errstr();
-    require_once("main.php");
-    exit();
-  }
-}
-
-
 // Init some vars
 variable_get('hosting_tld', '', 'This is a FQDN that designates the main hostname of the service. For example, hosting_tld determines in what TLD the "free" user domain is created. If this is set to "example.com", a checkbox will appear in the user creation dialog requesting the creator if he wants to create the domain "username.example.com".', array('desc' => 'Wanted FQDN', 'type' => 'string'));