diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 8181a45dc34..0d470eda8fb 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -170,12 +170,12 @@ dol_syslog("Start session name=".$sessionname." Session id()=".session_id().", _
 // Creation d'un jeton contre les failles CSRF
 $token = md5(uniqid(rand(),TRUE)); // Genere un hash d'un nombre aleatoire
 // roulement des jetons car cree a chaque appel
-$_SESSION['token_level_2'] = $_SESSION['token_level_1'];
-$_SESSION['token_level_1'] = $_SESSION['newtoken'];
+if (isset($_SESSION['token_level_1'])) $_SESSION['token_level_2'] = $_SESSION['token_level_1'];
+if (isset($_SESSION['newtoken'])) $_SESSION['token_level_1'] = $_SESSION['newtoken'];
 $_SESSION['newtoken'] = $token;
 
 // Verification de la presence et de la validite du jeton
-if (isset($_POST['token_level_1']) && isset($_SESSION['token_level_1']) && isset($_SESSION['token_level_2']))
+if (isset($_POST['token']) && isset($_SESSION['token_level_1']) && isset($_SESSION['token_level_2']))
 {
 	if (($_POST['token'] != $_SESSION['token_level_1']) || ($_POST['token'] != $_SESSION['token_level_2']))
 	{
diff --git a/htdocs/public/paybox/newpayment.php b/htdocs/public/paybox/newpayment.php
index b47a53f4111..102213bf6d7 100644
--- a/htdocs/public/paybox/newpayment.php
+++ b/htdocs/public/paybox/newpayment.php
@@ -1,6 +1,7 @@
 <?php
 /* Copyright (C) 2001-2002 Rodolphe Quiedeville <rodolphe@quiedeville.org>
  * Copyright (C) 2006-2009 Laurent Destailleur  <eldy@users.sourceforge.net>
+ * Copyright (C) 2009      Regis Houssin        <regis@dolibarr.fr>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -25,6 +26,24 @@
  *		\version    $Id$
  */
 
+// Creation d'un jeton contre les failles CSRF
+$sessionname="DOLSESSID_PAYBOX";
+session_name($sessionname);
+session_start();
+$token = md5(uniqid(rand(),TRUE)); // Genere un hash d'un nombre aleatoire
+// roulement des jetons car cree a chaque appel
+if (isset($_SESSION['newtoken'])) $_SESSION['token'] = $_SESSION['newtoken'];
+$_SESSION['newtoken'] = $token;
+
+// Verification de la presence et de la validite du jeton
+if (isset($_POST['token']) && isset($_SESSION['token']))
+{
+	if ($_POST['token'] != $_SESSION['token'])
+	{
+		unset($_POST);
+	}
+}
+
 require("../../master.inc.php");
 require_once(DOL_DOCUMENT_ROOT."/paybox/paybox.lib.php");
 require_once(DOL_DOCUMENT_ROOT."/lib/company.lib.php");
@@ -53,17 +72,20 @@ else $currency=$_REQUEST["currency"];
 if (empty($_REQUEST["amount"]))
 {
 	dol_print_error('','ErrorBadParameters');
+	session_destroy();
 	exit;
 }
 $amount=$_REQUEST["amount"];
 if (is_numeric($amount) && empty($_REQUEST["tag"]))
 {
 	dol_print_error('','ErrorBadParameters');
+	session_destroy();
 	exit;
 }
 if (! is_numeric($amount) && empty($_REQUEST["ref"]))
 {
 	dol_print_error('','ErrorBadParameters');
+	session_destroy();
 	exit;
 }
 $suffix=$_REQUEST["suffix"];
@@ -91,6 +113,7 @@ if ($_REQUEST["action"] == 'dopayment')
 	if (empty($mesg))
 	{
 		print_paybox_redirect($PRICE, $conf->monnaie, $EMAIL, $urlok, $urlko, $TAG, $ID);
+		session_destroy();
 		exit;
 	}
 }