diff --git a/libs/config.sample.php b/libs/config.sample.php
index ebb526a..261cf32 100755
--- a/libs/config.sample.php
+++ b/libs/config.sample.php
@@ -18,7 +18,7 @@
 	"jsUrl" => "",
 	"tokenLength" => 10,
 	"cookieConfig" => array(
-		"path" => '',
+		"path" => '/',
 		"domain" => '',
 		"secure" => false,
 		"expire" => '',
diff --git a/libs/csrf/csrfprotector.php b/libs/csrf/csrfprotector.php
index 4f7a073..6656c07 100755
--- a/libs/csrf/csrfprotector.php
+++ b/libs/csrf/csrfprotector.php
@@ -302,10 +302,11 @@ private static function isValidToken($token) {
 
                     // Clear all older tokens assuming they have been consumed
                     foreach ($_SESSION[self::$config['CSRFP_TOKEN']] as $_key => $_value) {
-                        if ($_value == $token) break;
-                        array_shift($_SESSION[self::$config['CSRFP_TOKEN']]);
+                        if ($_value == $token) {
+                            unset($_SESSION[self::$config['CSRFP_TOKEN']][$_key]);
+                            return true;
+                        }
                     }
-                    return true;
                 }
             }
 
diff --git a/test/csrfprotector_test.php b/test/csrfprotector_test.php
index 6c864cb..cc5eff4 100644
--- a/test/csrfprotector_test.php
+++ b/test/csrfprotector_test.php
@@ -396,7 +396,7 @@ public function testAuthorisePost_success()
         $temp = $_SESSION[csrfprotector::$config['CSRFP_TOKEN']];
 
         csrfprotector::authorizePost(); //will create new session and cookies
-        $this->assertFalse($temp == $_SESSION[csrfprotector::$config['CSRFP_TOKEN']][0]);
+        $this->assertTrue(!isset($_SESSION[csrfprotector::$config['CSRFP_TOKEN']][0]));
         $this->assertTrue(csrfp_wrapper::checkHeader('Set-Cookie'));
         $this->assertTrue(csrfp_wrapper::checkHeader('csrfp_token'));
         // $this->assertTrue(csrfp_wrapper::checkHeader($_SESSION[csrfprotector::$config['CSRFP_TOKEN']][0]));  // Combine these 3 later
@@ -406,7 +406,7 @@ public function testAuthorisePost_success()
         csrfp_wrapper::changeRequestType('GET');
         $_POST[csrfprotector::$config['CSRFP_TOKEN']]
             = $_GET[csrfprotector::$config['CSRFP_TOKEN']]
-            = $_SESSION[csrfprotector::$config['CSRFP_TOKEN']][0];
+            = $_SESSION[csrfprotector::$config['CSRFP_TOKEN']][1];
         $temp = $_SESSION[csrfprotector::$config['CSRFP_TOKEN']];
 
         csrfprotector::authorizePost(); //will create new session and cookies
@@ -437,7 +437,7 @@ public function testAuthorisePost_success_2()
         $temp = $_SESSION[csrfprotector::$config['CSRFP_TOKEN']];
 
         csrfprotector::authorizePost(); //will create new session and cookies
-        $this->assertFalse($temp == $_SESSION[csrfprotector::$config['CSRFP_TOKEN']][0]);
+        $this->assertTrue(!isset($_SESSION[csrfprotector::$config['CSRFP_TOKEN']][0]));
         $this->assertTrue(csrfp_wrapper::checkHeader('Set-Cookie'));
         $this->assertTrue(csrfp_wrapper::checkHeader('csrfp_token'));
         // $this->assertTrue(csrfp_wrapper::checkHeader($_SESSION[csrfprotector::$config['CSRFP_TOKEN']][0]));  // Combine these 3 later