diff --git a/rhodecode/lib/helpers.py b/rhodecode/lib/helpers.py
--- a/rhodecode/lib/helpers.py
+++ b/rhodecode/lib/helpers.py
@@ -1906,13 +1906,18 @@ def secure_form(url, method="POST", mult
     """
     from webhelpers.pylonslib.secure_form import insecure_form
     form = insecure_form(url, method, multipart, **attrs)
-    token = csrf_input()
+
+    session = None
+    # TODO(marcink): after pyramid migration require request variable ALWAYS
+    if 'request' in attrs:
+        session = attrs['request'].session
+
+    token = literal(
+        '<input type="hidden" id="{}" name="{}" value="{}">'.format(
+        csrf_token_key, csrf_token_key, get_csrf_token(session)))
+
     return literal("%s\n%s" % (form, token))
 
-def csrf_input():
-    return literal(
-        '<input type="hidden" id="{}" name="{}" value="{}">'.format(
-        csrf_token_key, csrf_token_key, get_csrf_token()))
 
 def dropdownmenu(name, selected, options, enable_filter=False, **attrs):
     select_html = select(name, selected, options, **attrs)
diff --git a/rhodecode/model/forms.py b/rhodecode/model/forms.py
--- a/rhodecode/model/forms.py
+++ b/rhodecode/model/forms.py
@@ -49,6 +49,7 @@ from pkg_resources import resource_filen
 from formencode import All, Pipe
 
 from pylons.i18n.translation import _
+from pyramid.threadlocal import get_current_request
 
 from rhodecode import BACKENDS
 from rhodecode.lib import helpers
@@ -66,6 +67,7 @@ class RhodecodeFormZPTRendererFactory(de
     """ Subclass of ZPTRendererFactory to add rhodecode context variables """
     def __call__(self, template_name, **kw):
         kw['h'] = helpers
+        kw['request'] = get_current_request()
         return self.load(template_name)(**kw)
 
 
diff --git a/rhodecode/templates/admin/auth/auth_settings.mako b/rhodecode/templates/admin/auth/auth_settings.mako
--- a/rhodecode/templates/admin/auth/auth_settings.mako
+++ b/rhodecode/templates/admin/auth/auth_settings.mako
@@ -38,7 +38,7 @@
     </div>
 
     <div class="main-content-full-width">
-      ${h.secure_form(request.resource_path(resource, route_name='auth_home'))}
+      ${h.secure_form(request.resource_path(resource, route_name='auth_home'), request=request)}
       <div class="form">
 
         <div class="panel panel-default">
diff --git a/rhodecode/templates/admin/auth/plugin_settings.mako b/rhodecode/templates/admin/auth/plugin_settings.mako
--- a/rhodecode/templates/admin/auth/plugin_settings.mako
+++ b/rhodecode/templates/admin/auth/plugin_settings.mako
@@ -47,7 +47,7 @@
           <div class="panel-body">
             <div class="plugin_form">
               <div class="fields">
-                ${h.secure_form(request.resource_path(resource, route_name='auth_home'))}
+                ${h.secure_form(request.resource_path(resource, route_name='auth_home'), request=request)}
                 <div class="form">
 
                   %for node in plugin.get_settings_schema():
diff --git a/rhodecode/templates/admin/gists/edit.mako b/rhodecode/templates/admin/gists/edit.mako
--- a/rhodecode/templates/admin/gists/edit.mako
+++ b/rhodecode/templates/admin/gists/edit.mako
@@ -26,7 +26,7 @@
     <div class="table">
 
         <div id="files_data">
-          ${h.secure_form(h.route_path('gist_update', gist_id=c.gist.gist_access_id), id='eform', method='POST')}
+          ${h.secure_form(h.route_path('gist_update', gist_id=c.gist.gist_access_id), id='eform', method='POST', request=request)}
             <div>
                 <input type="hidden" value="${c.file_last_commit.raw_id}" name="parent_hash">
                 <textarea id="description" name="description"
diff --git a/rhodecode/templates/admin/gists/new.mako b/rhodecode/templates/admin/gists/new.mako
--- a/rhodecode/templates/admin/gists/new.mako
+++ b/rhodecode/templates/admin/gists/new.mako
@@ -25,7 +25,7 @@
 
     <div class="table">
         <div id="files_data">
-          ${h.secure_form(h.route_path('gists_create'), id='eform', method='POST')}
+          ${h.secure_form(h.route_path('gists_create'), id='eform', method='POST', request=request)}
             <div>
                 <textarea id="description" name="description" placeholder="${_('Gist description ...')}"></textarea>
 
diff --git a/rhodecode/templates/admin/gists/show.mako b/rhodecode/templates/admin/gists/show.mako
--- a/rhodecode/templates/admin/gists/show.mako
+++ b/rhodecode/templates/admin/gists/show.mako
@@ -45,7 +45,7 @@
                     <div class="stats">
                        %if h.HasPermissionAny('hg.admin')() or c.gist.gist_owner == c.rhodecode_user.user_id:
                         <div class="remove_gist">
-                            ${h.secure_form(h.route_path('gist_delete', gist_id=c.gist.gist_access_id), method='POST')}
+                            ${h.secure_form(h.route_path('gist_delete', gist_id=c.gist.gist_access_id), method='POST', request=request)}
                                 ${h.submit('remove_gist', _('Delete'),class_="btn btn-mini btn-danger",onclick="return confirm('"+_('Confirm to delete this Gist')+"');")}
                             ${h.end_form()}
                         </div>
diff --git a/rhodecode/templates/admin/my_account/my_account_auth_tokens.mako b/rhodecode/templates/admin/my_account/my_account_auth_tokens.mako
--- a/rhodecode/templates/admin/my_account/my_account_auth_tokens.mako
+++ b/rhodecode/templates/admin/my_account/my_account_auth_tokens.mako
@@ -42,7 +42,7 @@
                      %endif
                 </td>
                 <td class="td-action">
-                    ${h.secure_form(h.route_path('my_account_auth_tokens_delete'), method='post')}
+                    ${h.secure_form(h.route_path('my_account_auth_tokens_delete'), method='POST', request=request)}
                         ${h.hidden('del_auth_token', auth_token.user_api_key_id)}
                         <button class="btn btn-link btn-danger" type="submit"
                                 onclick="return confirm('${_('Confirm to remove this auth token: %s') % auth_token.token_obfuscated}');">
@@ -59,7 +59,7 @@
     </div>
 
         <div class="user_auth_tokens">
-            ${h.secure_form(h.route_path('my_account_auth_tokens_add'), method='post')}
+            ${h.secure_form(h.route_path('my_account_auth_tokens_add'), method='POST', request=request)}
             <div class="form form-vertical">
                 <!-- fields -->
                 <div class="fields">
diff --git a/rhodecode/templates/admin/my_account/my_account_emails.mako b/rhodecode/templates/admin/my_account/my_account_emails.mako
--- a/rhodecode/templates/admin/my_account/my_account_emails.mako
+++ b/rhodecode/templates/admin/my_account/my_account_emails.mako
@@ -25,7 +25,7 @@
                         <span class="user email">${em.email}</span>
                     </td>
                     <td class="td-action">
-                        ${h.secure_form(h.route_path('my_account_emails_delete'), method='POST')}
+                        ${h.secure_form(h.route_path('my_account_emails_delete'), method='POST', request=request)}
                             ${h.hidden('del_email_id',em.email_id)}
                             <button class="btn btn-link btn-danger" type="submit" id="${'remove_email_%s'.format(em.email_id)}"
                                     onclick="return confirm('${_('Confirm to delete this email: {}').format(em.email)}');">
@@ -48,7 +48,7 @@
         </div>
 
         <div>
-            ${h.secure_form(h.route_path('my_account_emails_add'), method='POST')}
+            ${h.secure_form(h.route_path('my_account_emails_add'), method='POST', request=request)}
             <div class="form">
                 <!-- fields -->
                 <div class="fields">
diff --git a/rhodecode/templates/admin/my_account/my_account_profile_edit.mako b/rhodecode/templates/admin/my_account/my_account_profile_edit.mako
--- a/rhodecode/templates/admin/my_account/my_account_profile_edit.mako
+++ b/rhodecode/templates/admin/my_account/my_account_profile_edit.mako
@@ -6,7 +6,7 @@
     </div>
 
     <div class="panel-body">
-    ${h.secure_form(h.route_path('my_account_update'), class_='form', method='POST')}
+    ${h.secure_form(h.route_path('my_account_update'), class_='form', method='POST', request=request)}
     <% readonly = None %>
     <% disabled = "" %>
 
diff --git a/rhodecode/templates/admin/permissions/permissions_ips.mako b/rhodecode/templates/admin/permissions/permissions_ips.mako
--- a/rhodecode/templates/admin/permissions/permissions_ips.mako
+++ b/rhodecode/templates/admin/permissions/permissions_ips.mako
@@ -20,7 +20,7 @@
               <td class="td-iprange"><div class="ip">${h.ip_range(ip.ip_addr)}</div></td>
               <td class="td-description"><div class="ip">${ip.description}</div></td>
               <td class="td-action">
-                ${h.secure_form(h.route_path('edit_user_ips_delete', user_id=c.user.user_id), method='POST')}
+                ${h.secure_form(h.route_path('edit_user_ips_delete', user_id=c.user.user_id), method='POST', request=request)}
                     ${h.hidden('del_ip_id',ip.ip_id)}
                     ${h.hidden('default_user', 'True')}
                     ${h.submit('remove_',_('Delete'),id="remove_ip_%s" % ip.ip_id,
@@ -40,7 +40,7 @@
       </table>
     </div>
 
-    ${h.secure_form(h.route_path('edit_user_ips_add', user_id=c.user.user_id), method='POST')}
+    ${h.secure_form(h.route_path('edit_user_ips_add', user_id=c.user.user_id), method='POST', request=request)}
       <div class="form">
         <!-- fields -->
         <div class="fields">
diff --git a/rhodecode/templates/admin/repos/repo_edit_advanced.mako b/rhodecode/templates/admin/repos/repo_edit_advanced.mako
--- a/rhodecode/templates/admin/repos/repo_edit_advanced.mako
+++ b/rhodecode/templates/admin/repos/repo_edit_advanced.mako
@@ -24,7 +24,7 @@
         <h3 class="panel-title">${_('Fork Reference')} <a class="permalink" href="#advanced-fork"> ¶</a></h3>
     </div>
     <div class="panel-body">
-      ${h.secure_form(h.route_path('edit_repo_advanced_fork', repo_name=c.repo_info.repo_name), method='POST')}
+      ${h.secure_form(h.route_path('edit_repo_advanced_fork', repo_name=c.repo_info.repo_name), method='POST', request=request)}
 
         % if c.repo_info.fork:
             <div class="panel-body-title-text">${h.literal(_('This repository is a fork of %(repo_link)s') % {'repo_link': h.link_to_if(c.has_origin_repo_read_perm,c.repo_info.fork.repo_name, h.route_path('repo_summary', repo_name=c.repo_info.fork.repo_name))})}
@@ -48,7 +48,7 @@
         <h3 class="panel-title">${_('Public Journal Visibility')} <a class="permalink" href="#advanced-journal"> ¶</a></h3>
     </div>
     <div class="panel-body">
-      ${h.secure_form(h.route_path('edit_repo_advanced_journal', repo_name=c.repo_info.repo_name), method='POST')}
+      ${h.secure_form(h.route_path('edit_repo_advanced_journal', repo_name=c.repo_info.repo_name), method='POST', request=request)}
         <div class="field">
         %if c.in_public_journal:
           <button class="btn btn-small" type="submit">
@@ -73,7 +73,7 @@
         <h3 class="panel-title">${_('Locking state')} <a class="permalink" href="#advanced-locking"> ¶</a></h3>
     </div>
     <div class="panel-body">
-        ${h.secure_form(h.route_path('edit_repo_advanced_locking', repo_name=c.repo_info.repo_name), method='POST')}
+        ${h.secure_form(h.route_path('edit_repo_advanced_locking', repo_name=c.repo_info.repo_name), method='POST', request=request)}
 
         %if c.repo_info.locked[0]:
              <div class="panel-body-title-text">${'Locked by %s on %s. Lock reason: %s' % (h.person_by_id(c.repo_info.locked[0]),
@@ -113,7 +113,7 @@
         <h3 class="panel-title">${_('Delete repository')} <a class="permalink" href="#advanced-delete"> ¶</a></h3>
     </div>
     <div class="panel-body">
-      ${h.secure_form(h.route_path('edit_repo_advanced_delete', repo_name=c.repo_name), method='POST')}
+      ${h.secure_form(h.route_path('edit_repo_advanced_delete', repo_name=c.repo_name), method='POST', request=request)}
         <table class="display">
             <tr>
                 <td>
diff --git a/rhodecode/templates/admin/repos/repo_edit_caches.mako b/rhodecode/templates/admin/repos/repo_edit_caches.mako
--- a/rhodecode/templates/admin/repos/repo_edit_caches.mako
+++ b/rhodecode/templates/admin/repos/repo_edit_caches.mako
@@ -14,7 +14,7 @@
             </code>
         </p>
 
-        ${h.secure_form(h.route_path('edit_repo_caches', repo_name=c.repo_name), method='POST')}
+        ${h.secure_form(h.route_path('edit_repo_caches', repo_name=c.repo_name), method='POST', request=request)}
         <div class="form">
            <div class="fields">
                ${h.submit('reset_cache_%s' % c.repo_info.repo_name,_('Invalidate repository cache'),class_="btn btn-small",onclick="return confirm('"+_('Confirm to invalidate repository cache')+"');")}
diff --git a/rhodecode/templates/admin/repos/repo_edit_permissions.mako b/rhodecode/templates/admin/repos/repo_edit_permissions.mako
--- a/rhodecode/templates/admin/repos/repo_edit_permissions.mako
+++ b/rhodecode/templates/admin/repos/repo_edit_permissions.mako
@@ -5,7 +5,7 @@
         <h3 class="panel-title">${_('Repository Permissions')}</h3>
     </div>
     <div class="panel-body">
-        ${h.secure_form(h.route_path('edit_repo_perms', repo_name=c.repo_name), method='POST')}
+        ${h.secure_form(h.route_path('edit_repo_perms', repo_name=c.repo_name), method='POST', request=request)}
         <table id="permissions_manage" class="rctable permissions">
             <tr>
                 <th class="td-radio">${_('None')}</th>
diff --git a/rhodecode/templates/admin/repos/repo_edit_settings.mako b/rhodecode/templates/admin/repos/repo_edit_settings.mako
--- a/rhodecode/templates/admin/repos/repo_edit_settings.mako
+++ b/rhodecode/templates/admin/repos/repo_edit_settings.mako
@@ -6,7 +6,7 @@
         <h3 class="panel-title">${_('Settings for Repository: %s') % c.rhodecode_db_repo.repo_name}</h3>
     </div>
     <div class="panel-body">
-    ${h.secure_form(h.route_path('edit_repo', repo_name=c.rhodecode_db_repo.repo_name), method='POST')}
+    ${h.secure_form(h.route_path('edit_repo', repo_name=c.rhodecode_db_repo.repo_name), method='POST', request=request)}
     <div class="form">
         <!-- fields -->
         <div class="fields">
diff --git a/rhodecode/templates/admin/repos/repo_edit_strip.mako b/rhodecode/templates/admin/repos/repo_edit_strip.mako
--- a/rhodecode/templates/admin/repos/repo_edit_strip.mako
+++ b/rhodecode/templates/admin/repos/repo_edit_strip.mako
@@ -9,7 +9,7 @@
                 ${_('In the first step commits will be verified for existance in the repository')}. </br>
                 ${_('In the second step, correct commits will be available for stripping')}.
             </p>
-            ${h.secure_form(h.route_path('strip_check', repo_name=c.repo_info.repo_name), method='post')}
+            ${h.secure_form(h.route_path('strip_check', repo_name=c.repo_info.repo_name), method='POST', request=request)}
                 <div id="change_body" class="field">
                     <div id="box-1" class="inputx locked_input">
                         <input class="text" id="changeset_id-1" name="changeset_id-1" size="59"
diff --git a/rhodecode/templates/admin/settings/settings_sessions.mako b/rhodecode/templates/admin/settings/settings_sessions.mako
--- a/rhodecode/templates/admin/settings/settings_sessions.mako
+++ b/rhodecode/templates/admin/settings/settings_sessions.mako
@@ -28,7 +28,7 @@
         <h3 class="panel-title">${_('Cleanup Old Sessions')}</h3>
     </div>
     <div class="panel-body">
-        ${h.secure_form(h.route_path('admin_settings_sessions_cleanup'), method='post')}
+        ${h.secure_form(h.route_path('admin_settings_sessions_cleanup'), method='POST', request=request)}
 
             <p>
             ${_('Cleanup user sessions that were not active during chosen time frame.')} <br/>
diff --git a/rhodecode/templates/admin/users/user_edit_auth_tokens.mako b/rhodecode/templates/admin/users/user_edit_auth_tokens.mako
--- a/rhodecode/templates/admin/users/user_edit_auth_tokens.mako
+++ b/rhodecode/templates/admin/users/user_edit_auth_tokens.mako
@@ -38,7 +38,7 @@
                          %endif
                     </td>
                     <td class="td-action">
-                        ${h.secure_form(h.route_path('edit_user_auth_tokens_delete', user_id=c.user.user_id), method='POST')}
+                        ${h.secure_form(h.route_path('edit_user_auth_tokens_delete', user_id=c.user.user_id), method='POST', request=request)}
                             ${h.hidden('del_auth_token', auth_token.user_api_key_id)}
                             <button class="btn btn-link btn-danger" type="submit"
                                     onclick="return confirm('${_('Confirm to remove this auth token: %s') % auth_token.token_obfuscated}');">
@@ -55,7 +55,7 @@
         </div>
 
         <div class="user_auth_tokens">
-            ${h.secure_form(h.route_path('edit_user_auth_tokens_add', user_id=c.user.user_id), method='POST')}
+            ${h.secure_form(h.route_path('edit_user_auth_tokens_add', user_id=c.user.user_id), method='POST', request=request)}
             <div class="form form-vertical">
                 <!-- fields -->
                 <div class="fields">
diff --git a/rhodecode/templates/admin/users/user_edit_emails.mako b/rhodecode/templates/admin/users/user_edit_emails.mako
--- a/rhodecode/templates/admin/users/user_edit_emails.mako
+++ b/rhodecode/templates/admin/users/user_edit_emails.mako
@@ -24,7 +24,7 @@
                         <span class="user email">${em.email}</span>
                     </td>
                     <td class="td-action">
-                        ${h.secure_form(h.route_path('edit_user_emails_delete', user_id=c.user.user_id), method='POST')}
+                        ${h.secure_form(h.route_path('edit_user_emails_delete', user_id=c.user.user_id), method='POST', request=request)}
                             ${h.hidden('del_email_id', em.email_id)}
                             <button class="btn btn-link btn-danger" type="submit"
                                     onclick="return confirm('${_('Confirm to delete this email: %s') % em.email}');">
@@ -46,7 +46,7 @@
           </table>
         </div>
 
-        ${h.secure_form(h.route_path('edit_user_emails_add', user_id=c.user.user_id), method='POST')}
+        ${h.secure_form(h.route_path('edit_user_emails_add', user_id=c.user.user_id), method='POST', request=request)}
         <div class="form">
             <!-- fields -->
             <div class="fields">
diff --git a/rhodecode/templates/admin/users/user_edit_groups.mako b/rhodecode/templates/admin/users/user_edit_groups.mako
--- a/rhodecode/templates/admin/users/user_edit_groups.mako
+++ b/rhodecode/templates/admin/users/user_edit_groups.mako
@@ -19,7 +19,7 @@
         </div>
 
         <div class="groups_management">
-            ${h.secure_form(h.route_path('edit_user_groups_management_updates', user_id=c.user.user_id), method='post')}
+            ${h.secure_form(h.route_path('edit_user_groups_management_updates', user_id=c.user.user_id), method='POST', request=request)}
             <div id="repos_list_wrap">
                 <table id="user_group_list_table" class="display"></table>
             </div>
diff --git a/rhodecode/templates/admin/users/user_edit_ips.mako b/rhodecode/templates/admin/users/user_edit_ips.mako
--- a/rhodecode/templates/admin/users/user_edit_ips.mako
+++ b/rhodecode/templates/admin/users/user_edit_ips.mako
@@ -30,7 +30,7 @@
             <td class="td-iprange"><div class="ip">${h.ip_range(ip.ip_addr)}</div></td>
             <td class="td-description"><div class="ip">${ip.description}</div></td>
             <td class="td-action">
-                ${h.secure_form(h.route_path('edit_user_ips_delete', user_id=c.user.user_id), method='POST')}
+                ${h.secure_form(h.route_path('edit_user_ips_delete', user_id=c.user.user_id), method='POST', request=request)}
                     ${h.hidden('del_ip_id', ip.ip_id)}
                     ${h.submit('remove_', _('Delete'),id="remove_ip_%s" % ip.ip_id,
                     class_="btn btn-link btn-danger", onclick="return confirm('"+_('Confirm to delete this ip: %s') % ip.ip_addr+"');")}
@@ -51,7 +51,7 @@
 </div>
 
         <div>
-    ${h.secure_form(h.route_path('edit_user_ips_add', user_id=c.user.user_id), method='POST')}
+    ${h.secure_form(h.route_path('edit_user_ips_add', user_id=c.user.user_id), method='POST', request=request)}
     <div class="form">
         <!-- fields -->
         <div class="fields">
diff --git a/rhodecode/templates/base/base.mako b/rhodecode/templates/base/base.mako
--- a/rhodecode/templates/base/base.mako
+++ b/rhodecode/templates/base/base.mako
@@ -348,7 +348,7 @@
                 <li>${h.link_to(_(u'My personal group'), h.route_path('repo_group_home', repo_group_name=c.rhodecode_user.personal_repo_group.group_name))}</li>
               % endif
               <li class="logout">
-              ${h.secure_form(h.route_path('logout'))}
+              ${h.secure_form(h.route_path('logout'), request=request)}
                   ${h.submit('log_out', _(u'Sign Out'),class_="btn btn-primary")}
               ${h.end_form()}
               </li>
diff --git a/rhodecode/templates/data_table/_dt_elements.mako b/rhodecode/templates/data_table/_dt_elements.mako
--- a/rhodecode/templates/data_table/_dt_elements.mako
+++ b/rhodecode/templates/data_table/_dt_elements.mako
@@ -119,7 +119,7 @@
         <i class="icon-pencil"></i>Edit</a>
     </div>
     <div class="grid_delete">
-      ${h.secure_form(h.route_path('edit_repo_advanced_delete', repo_name=repo_name), method='POST')}
+      ${h.secure_form(h.route_path('edit_repo_advanced_delete', repo_name=repo_name), method='POST', request=request)}
         ${h.submit('remove_%s' % repo_name,_('Delete'),class_="btn btn-link btn-danger",
         onclick="return confirm('"+_('Confirm to delete this repository: %s') % repo_name+"');")}
       ${h.end_form()}
diff --git a/rhodecode/templates/forms/form.pt b/rhodecode/templates/forms/form.pt
--- a/rhodecode/templates/forms/form.pt
+++ b/rhodecode/templates/forms/form.pt
@@ -27,7 +27,7 @@
 
     <legend tal:condition="title">${title}</legend>
 
-    <input type="hidden" name="${h.csrf_token_key}" value="${h.get_csrf_token()}" />
+    <input type="hidden" name="${h.csrf_token_key}" value="${h.get_csrf_token(request.session)}" />
     <input type="hidden" name="_charset_" />
     <input type="hidden" name="__formid__" value="${formid}"/>