Index: typo3/sysext/setup/mod/index.php
===================================================================
--- typo3/sysext/setup/mod/index.php	(revision 10170)
+++ typo3/sysext/setup/mod/index.php	(working copy)
@@ -121,6 +121,12 @@
 	protected $installToolFileExists = FALSE;
 	protected $installToolFileKeep = FALSE;
 
+	/**
+	 * Form protection instance
+	 *
+	 * @var t3lib_formprotection_BackendFormProtection
+	 */
+	protected $formProtection;
 
 	/******************************
 	 *
@@ -128,6 +134,23 @@
 	 *
 	 ******************************/
 
+
+	/**
+	 * Instanciate the form protection before a simulated user is initialized.
+	 */
+	public function __construct() {
+		$this->formProtection = t3lib_formProtection_Factory::get(
+			't3lib_formprotection_BackendFormProtection'
+		);
+	}
+
+	/**
+	 * Getter for the form protection instance.
+	 */
+	public function getFormProtection() {
+		return $this->formProtection;
+	}
+
 	/**
 	 * If settings are submitted to _POST[DATA], store them
 	 * NOTICE: This method is called before the template.php is included. See
@@ -144,10 +167,7 @@
 		$storeRec = array();
 		$fieldList = $this->getFieldsFromShowItem();
 
-		$formProtection = t3lib_formProtection_Factory::get(
-			't3lib_formprotection_BackendFormProtection'
-		);
-		if (is_array($d) && $formProtection->validateToken(
+		if (is_array($d) && $this->formProtection->validateToken(
 				(string) t3lib_div::_POST('formToken'),
 				'BE user setup', 'edit'
 			)
@@ -443,10 +463,7 @@
 
 		$this->content .= $this->doc->spacer(20) . $this->doc->getDynTabMenu($menuItems, 'user-setup', FALSE, FALSE, 0, 1, FALSE, 1, $this->dividers2tabs);
 
-		$formProtection = t3lib_formProtection_Factory::get(
-			't3lib_formprotection_BackendFormProtection'
-		);
-		$formToken = $formProtection->generateToken('BE user setup', 'edit');
+		$formToken = $this->formProtection->generateToken('BE user setup', 'edit');
 
 			// Submit and reset buttons
 		$this->content .= $this->doc->spacer(20);
@@ -998,6 +1015,5 @@
 $SOBE->main();
 $SOBE->printContent();
 
-t3lib_formProtection_Factory::get('t3lib_formprotection_BackendFormProtection')
-	->persistTokens();
+$SOBE->getFormProtection()->persistTokens();
 ?>
Index: t3lib/formprotection/class.t3lib_formprotection_backendformprotection.php
===================================================================
--- t3lib/formprotection/class.t3lib_formprotection_backendformprotection.php	(revision 10170)
+++ t3lib/formprotection/class.t3lib_formprotection_backendformprotection.php	(working copy)
@@ -116,6 +116,14 @@
 	protected $maximumNumberOfTokens = 20000;
 
 	/**
+	 * Keeps the instance of the user which existed during creation
+	 * of the object.
+	 *
+	 * @var t3lib_beUserAuth
+	 */
+	protected $backendUser;
+
+	/**
 	 * Only allow construction if we have a backend session
 	 */
 	public function __construct() {
@@ -126,6 +134,7 @@
 				1285067843
 			);
 		}
+		$this->backendUser = $GLOBALS['BE_USER'];
 		parent::__construct();
 	}
 
@@ -155,7 +164,7 @@
 	 *		 the saved tokens as, will be empty if no tokens have been saved
 	 */
 	protected function retrieveTokens() {
-		$tokens = $GLOBALS['BE_USER']->getSessionData('formTokens');
+		$tokens = $this->backendUser->getSessionData('formTokens');
 		if (!is_array($tokens)) {
 			$tokens = array();
 		}
@@ -170,7 +179,7 @@
 	 * @return void
 	 */
 	public function persistTokens() {
-		$GLOBALS['BE_USER']->setAndSaveSessionData('formTokens', $this->tokens);
+		$this->backendUser->setAndSaveSessionData('formTokens', $this->tokens);
 	}
 }