diff --git a/Admin/Routes/Web/Api.php b/Admin/Routes/Web/Api.php
index 4f3b132..2b2f2cb 100755
--- a/Admin/Routes/Web/Api.php
+++ b/Admin/Routes/Web/Api.php
@@ -22,6 +22,7 @@ return [
         [
             'dest'       => '\Modules\HumanResourceTimeRecording\Controller\ApiController:apiSessionCreate',
             'verb'       => RouteVerb::PUT,
+            'csrf'       => true,
             'permission' => [
                 'module' => ApiController::NAME,
                 'type'   => PermissionType::CREATE,
@@ -33,6 +34,7 @@ return [
         [
             'dest'       => '\Modules\HumanResourceTimeRecording\Controller\ApiController:apiSessionElementCreate',
             'verb'       => RouteVerb::PUT,
+            'csrf'       => true,
             'permission' => [
                 'module' => ApiController::NAME,
                 'type'   => PermissionType::CREATE,
diff --git a/Controller/BackendController.php b/Controller/BackendController.php
index bf304e7..8c6601d 100755
--- a/Controller/BackendController.php
+++ b/Controller/BackendController.php
@@ -86,6 +86,7 @@ final class BackendController extends Controller implements DashboardElementInte
             ->with('profile')
             ->with('profile/account')
             ->where('profile/account', $request->header->account)
+            ->limit(1)
             ->execute();
 
         /** @var \Modules\HumanResourceTimeRecording\Models\Session $lastOpenSession */