diff --git a/familyconnections/addressbook.php b/familyconnections/addressbook.php
index daa87167..d199bc67 100644
--- a/familyconnections/addressbook.php
+++ b/familyconnections/addressbook.php
@@ -196,6 +196,14 @@ function displayExportSubmit ()
 
         foreach ($rows as $row)
         {
+            // Sanitize cell values to prevent CSV injection (Fixes #539)
+            $row = array_map(function($val) {
+                // Prefix dangerous characters to prevent formula execution in spreadsheets
+                if (preg_match('/^[=+\-@\t\r]/', $val)) {
+                    return "'" . $val;
+                }
+                return $val;
+            }, $row);
             $csv .= '"'.join('","', str_replace('"', '""', $row))."\"\015\012";
         }
 
diff --git a/familyconnections/inc/utils.php b/familyconnections/inc/utils.php
index 73400965..4161c05b 100644
--- a/familyconnections/inc/utils.php
+++ b/familyconnections/inc/utils.php
@@ -2776,6 +2776,9 @@ function loginUser ($userId, $remember)
         setcookie('fcms_cookie_token', $token, time() + (30*(24*3600)), '/'); // 30 days
     }
 
+    // Regenerate session ID to prevent session fixation attacks (Fixes #537)
+    session_regenerate_id(true);
+
     $_SESSION['fcms_id']    = $userId;
     $_SESSION['fcms_token'] = $token;