diff --git a/login-base/src/main/java/ink/wgink/login/base/authentication/BaseAuthenticationProcessingFilter.java b/login-base/src/main/java/ink/wgink/login/base/authentication/BaseAuthenticationProcessingFilter.java
index e8e65690..f543d292 100644
--- a/login-base/src/main/java/ink/wgink/login/base/authentication/BaseAuthenticationProcessingFilter.java
+++ b/login-base/src/main/java/ink/wgink/login/base/authentication/BaseAuthenticationProcessingFilter.java
@@ -1,6 +1,7 @@
 package ink.wgink.login.base.authentication;
 
 import ink.wgink.interfaces.consts.ISystemConstant;
+import ink.wgink.login.base.consts.IUserCenterConst;
 import ink.wgink.login.base.exceptions.UserAuthenticationException;
 import ink.wgink.login.base.manager.ConfigManager;
 import org.apache.commons.lang3.StringUtils;
@@ -65,4 +66,24 @@ public abstract class BaseAuthenticationProcessingFilter extends AbstractAuthent
             throw new UserAuthenticationException("登录方法必须是POST");
         }
     }
+
+    protected void checkReferToken(HttpServletRequest request) {
+        Object referToken = request.getSession().getAttribute(IUserCenterConst.REFER_TOKEN);
+        if(referToken == null) {
+            throw new UserAuthenticationException("refer参数为空，请重新刷新页面");
+        }
+        String sessionReferToken = referToken.toString();
+        if(StringUtils.isBlank(sessionReferToken)) {
+            throw new UserAuthenticationException("refer参数为空，请重新刷新页面");
+        }
+        String pageReferToken = request.getParameter(IUserCenterConst.REFER_TOKEN);
+        if(StringUtils.isBlank(pageReferToken)) {
+            throw new UserAuthenticationException("请求头中缺少refer参数");
+        }
+        if(!StringUtils.equals(sessionReferToken, pageReferToken)) {
+            throw new UserAuthenticationException("refer不匹配");
+        }
+        // 校验成功删除session中的refer
+        request.getSession().removeAttribute(IUserCenterConst.REFER_TOKEN);
+    }
 }
diff --git a/login-base/src/main/java/ink/wgink/login/base/authentication/user/UserAuthenticationFilter.java b/login-base/src/main/java/ink/wgink/login/base/authentication/user/UserAuthenticationFilter.java
index ee213bf8..2fe1f2aa 100644
--- a/login-base/src/main/java/ink/wgink/login/base/authentication/user/UserAuthenticationFilter.java
+++ b/login-base/src/main/java/ink/wgink/login/base/authentication/user/UserAuthenticationFilter.java
@@ -32,6 +32,7 @@ public class UserAuthenticationFilter extends BaseAuthenticationProcessingFilter
     public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
         checkVerificationCode(request);
         checkPostMethod(request);
+        checkReferToken(request);
 
         String username = request.getParameter(KEY_USERNAME);
         String password = request.getParameter(KEY_PASSWORD);
diff --git a/login-base/src/main/java/ink/wgink/login/base/consts/IUserCenterConst.java b/login-base/src/main/java/ink/wgink/login/base/consts/IUserCenterConst.java
index 6b36cea4..417a174d 100644
--- a/login-base/src/main/java/ink/wgink/login/base/consts/IUserCenterConst.java
+++ b/login-base/src/main/java/ink/wgink/login/base/consts/IUserCenterConst.java
@@ -103,4 +103,9 @@ public interface IUserCenterConst {
      */
     String CUSTOM_LOGIN_FORM = "customLoginForm";
 
+    /**
+     * refer验证token
+     */
+    String REFER_TOKEN = "referToken";
+
 }
diff --git a/login-base/src/main/java/ink/wgink/login/base/service/impl/OAuthServiceImpl.java b/login-base/src/main/java/ink/wgink/login/base/service/impl/OAuthServiceImpl.java
index 5984ade2..561a19b9 100644
--- a/login-base/src/main/java/ink/wgink/login/base/service/impl/OAuthServiceImpl.java
+++ b/login-base/src/main/java/ink/wgink/login/base/service/impl/OAuthServiceImpl.java
@@ -6,6 +6,7 @@ import ink.wgink.login.base.manager.ConfigManager;
 import ink.wgink.login.base.service.IOAuthService;
 import ink.wgink.properties.BaseProperties;
 import ink.wgink.properties.ServerProperties;
+import ink.wgink.util.UUIDUtil;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 
@@ -30,8 +31,14 @@ public class OAuthServiceImpl implements IOAuthService {
 
     @Override
     public Map<String, String> getPageParams(HttpServletRequest request) {
+        // session中设置refer验证token
+        String referHeaderToken = UUIDUtil.getUUID();
+        request.getSession().setAttribute(IUserCenterConst.REFER_TOKEN, referHeaderToken);
+
         Map<String, String> config = ConfigManager.getInstance().getConfig();
         Map<String, String> pageParams = new HashMap<>(16);
+        pageParams.put(IUserCenterConst.REFER_TOKEN, referHeaderToken);
+
         Object errorMessage = request.getSession().getAttribute(IUserCenterConst.ERROR_MESSAGE);
         Object loginUsername = request.getSession().getAttribute(IUserCenterConst.LOGIN_USERNAME);
         pageParams.put(IUserCenterConst.ERROR_MESSAGE, errorMessage == null ? null : errorMessage.toString());
diff --git a/login-base/src/main/resources/templates/login.html b/login-base/src/main/resources/templates/login.html
index 94b88059..b73f4dec 100644
--- a/login-base/src/main/resources/templates/login.html
+++ b/login-base/src/main/resources/templates/login.html
@@ -50,6 +50,7 @@
             </div>
             <div id="loginFormBox" class="layadmin-user-login-box layadmin-user-login-body layui-form">
                 <form id="loginForm" :action="pageParams.loginFormAction" method="post" @submit.prevent="submitForm">
+                    <input type="hidden" name="referToken" v-model="formData.referToken"/>
                     <div class="layui-form-item">
                         <label class="layadmin-user-login-icon layui-icon layui-icon-username" for="username"></label>
                         <input type="text" v-model="formData.username" id="username" name="username" lay-verify="username" placeholder="用户名" class="layui-input">
@@ -103,6 +104,7 @@
         var cookie = layui.cookie;
         var md5 = layui.md5;
         var base64 = layui.base64;
+        var restAjax = layui.restajax;
 
         var pageParams = [[${pageParams}]];
         new Vue({
@@ -110,6 +112,7 @@
             data: {
                 pageParams: pageParams,
                 formData: {
+                    referToken: pageParams.referToken,
                     verificationCode: '',
                     username: pageParams.loginUsername,
                     password: '',
@@ -202,7 +205,6 @@
                 form.on('checkbox(rememberFilter)', function(data) {
                     self.formData.remember = data.elem.checked;
                 });
-                $('#')
                 // 保单验证
                 form.verify({
                     username: function(value, item) {
diff --git a/login-base/src/main/resources/templates/login/form/save.html b/login-base/src/main/resources/templates/login/form/save.html
index d0999d1a..928eac5c 100644
--- a/login-base/src/main/resources/templates/login/form/save.html
+++ b/login-base/src/main/resources/templates/login/form/save.html
@@ -122,10 +122,11 @@
                 </div>
                 <blockquote class="layui-elem-quote">
                     <ul>
-                        <li>1. form表单代码：表单的HTML代码。</li>
-                        <li>2. form表单样式：表单的CSS代码。</li>
-                        <li>3. dom节点的条件判断使用vue判断，根据<b>pageParams</b>中的属性动态判断dom元素的展示方式。</li>
-                        <li>4. pageParams 属性说明：</li>
+                        <li>1. form表单的ID为：<b>loginForm</b></li>
+                        <li>2. form表单代码：表单的HTML代码。</li>
+                        <li>3. form表单样式：表单的CSS代码。</li>
+                        <li>4. dom节点的条件判断使用vue判断，根据<b>pageParams</b>中的属性动态判断dom元素的展示方式。</li>
+                        <li>5. pageParams 属性说明：</li>
                         <li>
                             <table class="layui-table">
                                 <colgroup>
@@ -232,9 +233,9 @@
                                 </tbody>
                             </table>
                         </li>
-                        <li>5. 表单提交method为<b>POST</b></li>
-                        <li>6. form表单上添加<b>@submit.prevent="submitForm"</b>用于控制表单提交</li>
-                        <li>7. 表单具体内容如下表所示</li>
+                        <li>6. 表单提交method为<b>POST</b></li>
+                        <li>7. form表单上添加<b>@submit.prevent="submitForm"</b>用于控制表单提交</li>
+                        <li>8. 表单具体内容如下表所示</li>
                         <li>
                             <table class="layui-table">
                                 <colgroup>
@@ -285,10 +286,13 @@
                                 </tbody>
                             </table>
                         </li>
-                        <li>8. 图形验证码的地址为：<b>oauth/verification-code/png</b></li>
-                        <li>9. 提交按钮固定写法
+                        <li>9. 图形验证码的地址为：<b>oauth/verification-code/png</b></li>
+                        <li>10. 提交按钮固定写法
                             <xmp><button type="submit" lay-submit>登 录</button></xmp>
                         </li>
+                        <li>11. 表单中必须添加隐藏验证参数，否则将无法登录系统
+                            <xmp><input type="hidden" name="referToken" v-model="formData.referToken"/></xmp>
+                        </li>
                     </ul>
                 </blockquote>
                 <div class="layui-row layui-col-space15">
diff --git a/login-base/src/main/resources/templates/login/form/update.html b/login-base/src/main/resources/templates/login/form/update.html
index a7064b83..dffe93d0 100644
--- a/login-base/src/main/resources/templates/login/form/update.html
+++ b/login-base/src/main/resources/templates/login/form/update.html
@@ -122,10 +122,11 @@
                 </div>
                 <blockquote class="layui-elem-quote">
                     <ul>
-                        <li>1. form表单代码：表单的HTML代码。</li>
-                        <li>2. form表单样式：表单的CSS代码。</li>
-                        <li>3. dom节点的条件判断使用vue判断，根据<b>pageParams</b>中的属性动态判断dom元素的展示方式。</li>
-                        <li>4. pageParams 属性说明：</li>
+                        <li>1. form表单的ID为：<b>loginForm</b></li>
+                        <li>2. form表单代码：表单的HTML代码。</li>
+                        <li>3. form表单样式：表单的CSS代码。</li>
+                        <li>4. dom节点的条件判断使用vue判断，根据<b>pageParams</b>中的属性动态判断dom元素的展示方式。</li>
+                        <li>5. pageParams 属性说明：</li>
                         <li>
                             <table class="layui-table">
                                 <colgroup>
@@ -232,9 +233,9 @@
                                 </tbody>
                             </table>
                         </li>
-                        <li>5. 表单提交method为<b>POST</b></li>
-                        <li>6. form表单上添加<b>@submit.prevent="submitForm"</b>用于控制表单提交</li>
-                        <li>7. 表单具体内容如下表所示</li>
+                        <li>6. 表单提交method为<b>POST</b></li>
+                        <li>7. form表单上添加<b>@submit.prevent="submitForm"</b>用于控制表单提交</li>
+                        <li>8. 表单具体内容如下表所示</li>
                         <li>
                             <table class="layui-table">
                                 <colgroup>
@@ -285,10 +286,13 @@
                                 </tbody>
                             </table>
                         </li>
-                        <li>8. 图形验证码的地址为：<b>oauth/verification-code/png</b></li>
-                        <li>9. 提交按钮固定写法
+                        <li>9. 图形验证码的地址为：<b>oauth/verification-code/png</b></li>
+                        <li>10. 提交按钮固定写法
                             <xmp><button type="submit" lay-submit>登 录</button></xmp>
                         </li>
+                        <li>11. 表单中必须添加隐藏验证参数，否则将无法登录系统
+                            <xmp><input type="hidden" name="referToken" v-model="formData.referToken"/></xmp>
+                        </li>
                     </ul>
                 </blockquote>
                 <div class="layui-row layui-col-space15">