diff --git a/airtime_mvc/application/common/CORSHelper.php b/airtime_mvc/application/common/CORSHelper.php
index 6febb0f1b..fac6e3fdd 100644
--- a/airtime_mvc/application/common/CORSHelper.php
+++ b/airtime_mvc/application/common/CORSHelper.php
@@ -11,17 +11,19 @@ class CORSHelper
         $response = $response->setHeader('Access-Control-Allow-Origin', '*');
         $origin = $request->getHeader('Origin');
         if ((!(preg_match("/https?:\/\/localhost/", $origin) === 1)) && ($origin != "") &&
-        (!in_array($origin,
-                array("http://www.airtime.pro",
-                        "https://www.airtime.pro",
-                        "https://account.sourcefabric.com",
-                        "http://" . $_SERVER['SERVER_NAME'],
-                        "https://" . $_SERVER['SERVER_NAME']
-                ))
-        ))
+            (!in_array($origin, self::getAllowedOrigins())))
         {
             //Don't allow CORS from other domains to prevent XSS.
             throw new Zend_Controller_Action_Exception('Forbidden', 403);
         }
     }
+
+    public static function getAllowedOrigins()
+    {
+        return array("http://www.airtime.pro",
+                        "https://www.airtime.pro",
+                        "https://account.sourcefabric.com",
+                        "http://" . $_SERVER['SERVER_NAME'],
+                        "https://" . $_SERVER['SERVER_NAME']);
+    }
 }
diff --git a/airtime_mvc/application/forms/Login.php b/airtime_mvc/application/forms/Login.php
index b8d3989c2..623fa14fa 100644
--- a/airtime_mvc/application/forms/Login.php
+++ b/airtime_mvc/application/forms/Login.php
@@ -1,5 +1,7 @@
 <?php
 
+include('../library/phing/util/StringHelper.php');
+
 class Application_Form_Login extends Zend_Form
 {
 
@@ -10,9 +12,25 @@ class Application_Form_Login extends Zend_Form
         // Set the method for the display form to POST
         $this->setMethod('post');
 
-        $this->addElement('hash', 'csrf', array(
-           'salt' => 'unique'
-        ));
+        //If the request comes from an origin we consider safe, we disable the CSRF
+        //token checking ONLY for the login page. We do this to allow logins from WHMCS to work.
+        $request = Zend_Controller_Front::getInstance()->getRequest();
+        if ($request) {
+            $refererUrl = $request->getHeader('referer');
+            $originIsSafe = false;
+            foreach (CORSHelper::getAllowedOrigins() as $safeOrigin) {
+                if (StringHelper::startsWith($safeOrigin, $refererUrl)) {
+                    $originIsSafe = true;
+                    break;
+                }
+            }
+        }
+
+        if (!$originIsSafe) {
+            $this->addElement('hash', 'csrf', array(
+               'salt' => 'unique'
+            ));
+        }
 
         $this->setDecorators(array(
             array('ViewScript', array('viewScript' => 'form/login.phtml'))