Index: typo3/index.php
===================================================================
--- typo3/index.php	(revision 10266)
+++ typo3/index.php	(working copy)
@@ -397,6 +397,9 @@
 			if (!$this->loginRefresh)	{
 				t3lib_utility_Http::redirect($this->redirectToURL);
 			} else {
+				$formprotection = t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection');
+				$token = $formprotection->generateToken('extDirect');
+				$formprotection->persistTokens();
 				$TBE_TEMPLATE->JScode.=$TBE_TEMPLATE->wrapScriptTags('
 					if (parent.opener && (parent.opener.busy || parent.opener.TYPO3.loginRefresh)) {
 						if (parent.opener.TYPO3.loginRefresh) {
@@ -406,6 +409,7 @@
 						}
 						parent.close();
 					}
+					parent.opener.TYPO3.ExtDirectToken = "' . $token . '";
 				');
 			}
 		} elseif (!$BE_USER->user['uid'] && $this->commandLI) {
Index: t3lib/class.t3lib_pagerenderer.php
===================================================================
--- t3lib/class.t3lib_pagerenderer.php	(revision 10266)
+++ t3lib/class.t3lib_pagerenderer.php	(working copy)
@@ -956,20 +956,20 @@
 			// does this only with multiple arguments
 		$this->addExtOnReadyCode('
 			(function() {
-				var token = "' . $token . '";
+				TYPO3.ExtDirectToken = "' . $token . '";
 				for (var api in Ext.app.ExtDirectAPI) {
 					var provider = Ext.Direct.addProvider(Ext.app.ExtDirectAPI[api]);
 					provider.on("beforecall", function(provider, transaction, meta) {
 						if (transaction.data) {
-							transaction.data[transaction.data.length] = token;
+							transaction.data[transaction.data.length] = TYPO3.ExtDirectToken;
 						} else {
-							transaction.data = [token];
+							transaction.data = [TYPO3.ExtDirectToken];
 						}
 					});
 
 					provider.on("call", function(provider, transaction, meta) {
 						if (transaction.isForm) {
-							transaction.params.securityToken = token;
+							transaction.params.securityToken = TYPO3.ExtDirectToken;
 						}
 					});
 				}
Index: typo3/classes/class.ajaxlogin.php
===================================================================
--- typo3/classes/class.ajaxlogin.php	(revision 10266)
+++ typo3/classes/class.ajaxlogin.php	(working copy)
@@ -44,7 +44,14 @@
 	 */
 	public function login(array $parameters, TYPO3AJAX $ajaxObj) {
 		if ($GLOBALS['BE_USER']->user['uid']) {
-			$json = array('success' => TRUE);
+			$formprotection = t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection');
+			$token = $formprotection->generateToken('extDirect');
+			$formprotection->persistTokens();
+
+			$json = array(
+				'success' => TRUE,
+				'token' => $token
+			);
 		} else {
 			$json = array('success' => FALSE);
 		}
Index: typo3/js/loginrefresh.js
===================================================================
--- typo3/js/loginrefresh.js	(revision 10266)
+++ typo3/js/loginrefresh.js	(working copy)
@@ -298,6 +298,7 @@
 						// User is logged in
 						Ext.getCmp("loginformWindow").hide();
 						TYPO3.loginRefresh.startTimer();
+						TYPO3.ExtDirectToken = result.token;
 					} else {
 						// TODO: add failure to notification system instead of alert
 						Ext.Msg.alert(TYPO3.LLL.core.refresh_login_failed, TYPO3.LLL.core.refresh_login_failed_message);