diff --git a/cake/libs/controller/components/security.php b/cake/libs/controller/components/security.php
index eaef1d015..4ea0a456a 100644
--- a/cake/libs/controller/components/security.php
+++ b/cake/libs/controller/components/security.php
@@ -473,7 +473,6 @@ class SecurityComponent extends Object {
 				}
 
 				foreach ($key1 as $value) {
-
 					if(in_array($value, $key)) {
 						$remove = explode('.', $value);
 						unset($check[$remove['0']][$remove['1']]);
@@ -484,7 +483,7 @@ class SecurityComponent extends Object {
 					}
 				}
 			}
-
+			$merge = array();
 			foreach($check as $key => $value) {
 				if($key === '__Token') {
 					$field[$key] = $value;
@@ -494,27 +493,33 @@ class SecurityComponent extends Object {
 
 				if($string === '_') {
 					$newKey = substr($key, 1);
-					$controller->data[$newKey] = Set::pushDiff($controller->data[$key], $controller->data[$newKey]);
-					unset($controller->data[$key]);
 
 					if(is_array($value)) {
 						$values = array_values($value);
-						if(isset($values['0']) && empty($values['0'])) {
-							$k = array_keys($value);
-							if(isset($values['0'])) {
-								$field[$key][$k['0']] = '';
-							}
-						} else {
-							$field[$key] = $value;
+						$k = array_keys($value);
+						$count = count($k);
+						for($i = 0; $count > $i; $i++) {
+							$field[$key][$k[$i]] = $values[$i];
 						}
 					}
+
+					foreach($k as  $lookup) {
+						if(isset($controller->data[$newKey][$lookup])){
+							unset($controller->data[$key][$lookup]);
+						} elseif ($controller->data[$key][$lookup] === '0') {
+							$merge[] = $lookup;
+						}
+					}
+					$controller->data[$newKey] = Set::pushDiff($controller->data[$key], $controller->data[$newKey]);
+					unset($controller->data[$key]);
 					continue;
 				}
 				if(!array_key_exists($key, $value)) {
 					$field[$key] = array_keys($value);
+					$field[$key] = array_merge($merge, $field[$key]);
 				}
 			}
-			$check = urlencode(Security::hash(serialize($field) . CAKE_SESSION_STRING));
+			$check = urlencode(Security::hash(serialize(sort($field)) . CAKE_SESSION_STRING));
 
 			if($form !== $check) {
 				if(!$this->blackHole($controller, 'auth')) {
diff --git a/cake/libs/model/model.php b/cake/libs/model/model.php
index d068ed673..b63477b90 100644
--- a/cake/libs/model/model.php
+++ b/cake/libs/model/model.php
@@ -2143,4 +2143,4 @@ if (!defined('CAKEPHP_UNIT_TEST_EXECUTION')) {
 	Overloadable::overload('Model');
 }
 
-?>
+?>
\ No newline at end of file
diff --git a/cake/libs/view/helpers/form.php b/cake/libs/view/helpers/form.php
index bd1ef0168..c0238ceef 100644
--- a/cake/libs/view/helpers/form.php
+++ b/cake/libs/view/helpers/form.php
@@ -247,7 +247,7 @@ class FormHelper extends AppHelper {
 	}
 	function secure($fields) {
 		$append = '<p style="display: inline; margin: 0px; padding: 0px;">';
-		$append .= $this->hidden('_Token/fields', array('value' => urlencode(Security::hash(serialize($fields) . CAKE_SESSION_STRING)), 'id' => 'TokenFields' . mt_rand()));
+		$append .= $this->hidden('_Token.fields', array('value' => urlencode(Security::hash(serialize(sort($fields)) . CAKE_SESSION_STRING)), 'id' => 'TokenFields' . mt_rand()));
 		$append .= '</p>';
 		return $append;
 	}
@@ -631,11 +631,11 @@ class FormHelper extends AppHelper {
 		}
 
 		$output = null;
-		if(isset($object) && is_int($options['value'])) {
+		if(isset($object) && ($options['value'] == 0 || $options['value'] == 1)) {
 			$db =& ConnectionManager::getDataSource($object->useDbConfig);
 			$value = $db->boolean($options['value']);
 			$options['value'] = 1;
-			$output = $this->hidden($fieldName, array('value' => '-1', 'id' => $options['id'] . '_'), true);
+			$output = $this->hidden($fieldName, array('value' => '0', 'id' => $options['id'] . '_'), true);
 		}
 
 		if(isset($options['value']) && $value == $options['value']) {
@@ -705,7 +705,11 @@ class FormHelper extends AppHelper {
 		if(isset($this->params['_Token']) && !empty($this->params['_Token'])) {
 			$model = '_' . $model;
 		}
-		$this->__secure($model, ife($options['value'], $options['value'], ''));
+		$value = '';
+		if (!empty($options['value']) || $options['value'] === '0') {
+			$value = $options['value'];
+		}
+		$this->__secure($model, $value);
 
 		if (in_array($fieldName, array('_method', '_fields'))) {
 			$model = null;
diff --git a/cake/tests/cases/libs/view/helpers/form.test.php b/cake/tests/cases/libs/view/helpers/form.test.php
index 5a5a3c3c4..e5e8b92f0 100644
--- a/cake/tests/cases/libs/view/helpers/form.test.php
+++ b/cake/tests/cases/libs/view/helpers/form.test.php
@@ -824,12 +824,12 @@ class FormHelperTest extends CakeTestCase {
 		$this->Form->validationErrors['Model']['field'] = 1;
 		$this->Form->data['Contact']['published'] = 1;
 		$result = $this->Form->checkbox('Contact.published', array('id'=>'theID'));
-		$this->assertEqual($result, '<input type="hidden" name="data[Contact][published]" value="-1" id="theID_" /><input type="checkbox" name="data[Contact][published]" type="checkbox" id="theID" value="1" checked="checked" />');
+		$this->assertEqual($result, '<input type="hidden" name="data[Contact][published]" value="0" id="theID_" /><input type="checkbox" name="data[Contact][published]" type="checkbox" id="theID" value="1" checked="checked" />');
 
 		$this->Form->validationErrors['Model']['field'] = 1;
 		$this->Form->data['Contact']['published'] = 0;
 		$result = $this->Form->checkbox('Contact.published', array('id'=>'theID'));
-		$this->assertEqual($result, '<input type="hidden" name="data[Contact][published]" value="-1" id="theID_" /><input type="checkbox" name="data[Contact][published]" type="checkbox" id="theID" value="1" />');
+		$this->assertEqual($result, '<input type="hidden" name="data[Contact][published]" value="0" id="theID_" /><input type="checkbox" name="data[Contact][published]" type="checkbox" id="theID" value="1" />');
 	}