diff --git a/lib/Cake/Controller/Component/SecurityComponent.php b/lib/Cake/Controller/Component/SecurityComponent.php
index b1f1aafad..8018fe0d7 100644
--- a/lib/Cake/Controller/Component/SecurityComponent.php
+++ b/lib/Cake/Controller/Component/SecurityComponent.php
@@ -495,6 +495,10 @@ class SecurityComponent extends Component {
 		if ($this->csrfCheck && ($this->csrfUseOnce || empty($tokenData['csrfTokens'])) ) {
 			$token['csrfTokens'][$authKey] = strtotime($this->csrfExpires);
 		}
+		if ($this->csrfCheck && $this->csrfUseOnce == false) {
+			$csrfTokens = array_keys($token['csrfTokens']);
+			$token['key'] = $csrfTokens[0];
+		}
 		$this->Session->write('_Token', $token);
 		$controller->request->params['_Token'] = array(
 			'key' => $token['key'],
diff --git a/lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php b/lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php
index 48e7657eb..a326f7982 100644
--- a/lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php
+++ b/lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php
@@ -1151,6 +1151,9 @@ class SecurityComponentTest extends CakeTestCase {
 		$token2 = $this->Security->Session->read('_Token.csrfTokens');
 		$this->assertEquals(1, count($token2), 'Should only be one token.');
 		$this->assertEquals($token, $token2, 'Tokens should not be different.');
+
+		$key = $this->Controller->request->params['_Token']['key'];
+		$this->assertEquals(array($key), array_keys($token), '_Token.key and csrfToken do not match request will blackhole.');
 	}
 
 /**