diff --git a/public/index.php b/public/index.php
index 0c1fbd09..30279049 100644
--- a/public/index.php
+++ b/public/index.php
@@ -118,4 +118,4 @@ if (!@$supress_master) $smarty->display($master_template, $smarty_cache_key);
 // Unset any temporary values here
 unset($_SESSION['POPUP']);
 
-?>
\ No newline at end of file
+?>
diff --git a/tests/config.dist.php b/tests/config.dist.php
new file mode 100644
index 00000000..21da7475
--- /dev/null
+++ b/tests/config.dist.php
@@ -0,0 +1,10 @@
+<?php 
+
+// full path to mpos public directory, with trailing slash
+define('BASEPATH', '');
+
+// choose which mpos config to test against, dist or real
+// 0 = dist, 1 = real
+define('DIST_OR_REAL_CONFIG', 1);
+
+?>
\ No newline at end of file
diff --git a/tests/config.php b/tests/config.php
index a4beacb8..cbcdb1af 100644
--- a/tests/config.php
+++ b/tests/config.php
@@ -1,7 +1,6 @@
 <?php 
 
 // full path to mpos public directory, with trailing slash
-// haven't been able to set this to __DIR__ + changing bootstrap to have the tests work, so full path seems best
 define('BASEPATH', '/var/www/php-mpos-allbranches/php-mpos/public/');
 
 // choose which config to test against, dist or real
diff --git a/tests/phpunit.xml b/tests/phpunit.xml
index 258e159e..513c0d17 100644
--- a/tests/phpunit.xml
+++ b/tests/phpunit.xml
@@ -3,8 +3,11 @@
     <testsuite name="SampleTest">
       <directory>unit/config</directory>
     </testsuite>
-    <testsuite name="SecurityRegress">
-      <directory>unit/securityregress/SecurityRegress.php</directory>
+    <testsuite name="Security_CSRFToken">
+      <directory>unit/securityregress/Security_CSRFToken.php</directory>
+    </testsuite>
+    <testsuite name="Security_Sessions">
+      <directory>unit/securityregress/Security_Sessions.php</directory>
     </testsuite>
   </testsuites>
 </phpunit>
\ No newline at end of file
diff --git a/tests/unit/securityregress/SecurityRegress.php b/tests/unit/securityregress/SecurityRegress.php
deleted file mode 100644
index 6e40ce1d..00000000
--- a/tests/unit/securityregress/SecurityRegress.php
+++ /dev/null
@@ -1,13 +0,0 @@
-<?php
-
-class TestSecurityRegress extends PHPUnit_Framework_Testcase {
-  /**
-   * CSRFToken tests
-   */
-  function testCSRFTokenSuccess() {
-    global $config;
-    
-  }
-}
-
-?>
\ No newline at end of file
diff --git a/tests/unit/securityregress/Security_CSRFToken.php b/tests/unit/securityregress/Security_CSRFToken.php
new file mode 100644
index 00000000..beb01644
--- /dev/null
+++ b/tests/unit/securityregress/Security_CSRFToken.php
@@ -0,0 +1,46 @@
+<?php
+
+class Security_CSRFToken extends PHPUnit_Framework_Testcase {
+  /**
+   * Tests if a CSRF token succeeds for a matching user and type
+   */
+  function testCSRFToken_success() {
+    global $config;
+    global $user;
+    global $csrftoken;
+    
+    // no delay
+    // TODO: simulate delay without a sleep ? test length
+    $created_token = $csrftoken->getBasic($user->getCurrentIP(), 'test-token');
+    $test_token = $csrftoken->checkBasic($user->getCurrentIP(), 'test-token', $created_token);
+    $this->assertTrue($test_token);
+    $this->assertAttributeEquals($csrftoken->valid, true);
+  }
+  
+  /**
+   * Tests if a CSRF token correctly fails
+   */
+  function testCSRFToken_fail() {
+    global $config;
+    global $user;
+    global $csrftoken;
+    
+    // differing user
+    $created_token = $csrftoken->getBasic('not the same', 'test-token');
+    $test_token = $csrftoken->checkBasic($user->getCurrentIP(), 'test-token', $created_token);
+    $this->assertFalse($test_token);
+    
+    // differing type
+    $created_token2 = $csrftoken->getBasic($user->getCurrentIP(), 'not the same');
+    $test_token2 = $csrftoken->checkBasic($user->getCurrentIP(), 'test-token', $created_token2);
+    $this->assertFalse($test_token2);
+    
+    // token slightly shortened
+    $created_token3 = $csrftoken->getBasic($user->getCurrentIP(), 'test-token');
+    $created_token3 = substr($created_token3, 0, (strlen($created_token3)-1));
+    $test_token3 = $csrftoken->checkBasic($user->getCurrentIP(), 'test-token', $created_token3);
+    $this->assertFalse($test_token3);
+  }
+}
+
+?>
\ No newline at end of file
diff --git a/tests/unit/securityregress/Security_Sessions.php b/tests/unit/securityregress/Security_Sessions.php
new file mode 100644
index 00000000..5813f5a1
--- /dev/null
+++ b/tests/unit/securityregress/Security_Sessions.php
@@ -0,0 +1,30 @@
+<?php
+
+class Security_Sessions extends PHPUnit_Framework_Testcase {
+  /**
+   * Tests if our current session checking will throw errors or take a malformed id
+   */
+  function testSessions_destruction_malformed_id() {
+    global $config;
+    
+    $malformed_ids = array(
+        "",
+        "'",
+        "9881o1ke7ia4k5*p1k28e6utg0"
+    );
+    
+    foreach ($malformed_ids as $mid) {
+      session_set_cookie_params(time()+$config['cookie']['duration'], $config['cookie']['path'], $config['cookie']['domain'], $config['cookie']['secure'], $config['cookie']['httponly']);
+      $session_start = @session_start();
+      if (!$session_start) {
+        session_destroy();
+        session_regenerate_id(true);
+        session_start();
+      }
+      @setcookie(session_name(), session_id(), time()+$config['cookie']['duration'], $config['cookie']['path'], $config['cookie']['domain'], $config['cookie']['secure'], $config['cookie']['httponly']);
+      $this->assertNotEquals($mid, session_id());
+    }
+  }
+}
+
+?>
\ No newline at end of file
