diff --git a/inc/common.php b/inc/common.php
index b8e77d7bf1b5b0c5f88bfa2653663e5254e7729b..d23c0c53fb35734ccaf75416e76c4921589c9678 100644
--- a/inc/common.php
+++ b/inc/common.php
@@ -94,7 +94,13 @@ function stripctl($string) {
 function getSecurityToken() {
     /** @var Input $INPUT */
     global $INPUT;
-    return PassHash::hmac('md5', session_id().$INPUT->server->str('REMOTE_USER'), auth_cookiesalt());
+
+    $user = $INPUT->server->str('REMOTE_USER');
+    $session = session_id();
+
+    // CSRF checks are only for logged in users - do not generate for anonymous
+    if(trim($user) == '' || trim($session) == '') return '';
+    return PassHash::hmac('md5', $session.$user, auth_cookiesalt());
 }
 
 /**