Index: lams_central/src/java/org/lamsfoundation/lams/web/SessionListener.java
===================================================================
diff -u -rac1774a2e7f4b8ce9b79e6447b1b4748f719bc32 -r131ce42e64069f574a2a4a9bc1e5c4be4918e5bb
--- lams_central/src/java/org/lamsfoundation/lams/web/SessionListener.java	(.../SessionListener.java)	(revision ac1774a2e7f4b8ce9b79e6447b1b4748f719bc32)
+++ lams_central/src/java/org/lamsfoundation/lams/web/SessionListener.java	(.../SessionListener.java)	(revision 131ce42e64069f574a2a4a9bc1e5c4be4918e5bb)
@@ -35,7 +35,6 @@
 
 import org.apache.log4j.Logger;
 import org.jboss.security.CacheableManager;
-import org.lamsfoundation.lams.integration.security.SsoHandler;
 import org.lamsfoundation.lams.security.SimplePrincipal;
 import org.lamsfoundation.lams.usermanagement.dto.UserDTO;
 import org.lamsfoundation.lams.util.Configuration;
@@ -95,23 +94,13 @@
 	// clear the authentication cache when the session is invalidated
 	HttpSession session = sessionEvent.getSession();
 	if (session != null) {
+	    SessionManager.removeSessionByID(session.getId(), false);
+	    
 	    UserDTO userDTO = (UserDTO) session.getAttribute(AttributeNames.USER);
-	    if (userDTO == null) {
-		SessionManager.removeSessionByID(session.getId(), false);
-	    } else {
-		// this is set in SsoHandler
-		// if user logs in from another browser, cache must not be flushed,
-		// otherwise current authentication process fails
-		Boolean noFlush = (Boolean) session.getAttribute(SsoHandler.NO_FLUSH_FLAG);
-		if (!Boolean.TRUE.equals(noFlush)) {
-		    String login = userDTO.getLogin();
-		    Principal principal = new SimplePrincipal(login);
-		    SessionListener.authenticationManager.flushCache(principal);
-
-		    // remove obsolete mappings to session
-		    // the session is either already invalidated or will be very soon by another module
-		    SessionManager.removeSessionByLogin(login, false);
-		}
+	    if (userDTO != null) {
+		String login = userDTO.getLogin();
+		Principal principal = new SimplePrincipal(login);
+		SessionListener.authenticationManager.flushCache(principal);
 	    }
 	}
     }
Index: lams_central/web/login.jsp
===================================================================
diff -u -r4583983b64efe1d91fbb47cdde6a759a6a30e859 -r131ce42e64069f574a2a4a9bc1e5c4be4918e5bb
--- lams_central/web/login.jsp	(.../login.jsp)	(revision 4583983b64efe1d91fbb47cdde6a759a6a30e859)
+++ lams_central/web/login.jsp	(.../login.jsp)	(revision 131ce42e64069f574a2a4a9bc1e5c4be4918e5bb)
@@ -176,12 +176,11 @@
 				// invalidate session so a new user can be logged in
 				HttpSession hs = SessionManager.getSession();
 				if (hs != null) {
+				    // maybe this attribute removal is not necessary
+				    // since we invalidate the session right after it
 				    hs.removeAttribute("login");
 				    hs.removeAttribute("password");
-					UserDTO userDTO = (UserDTO) hs.getAttribute("user");
-					if (userDTO != null) {
-					    SessionManager.removeSessionByLogin(userDTO.getLogin(), true);
-					}
+				    hs.invalidate();
 				}
 			%>
 			<script type="text/javascript">
Index: lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java
===================================================================
diff -u -rbb52aeca8f924c447f5b2c69fb05ff4f1aed1412 -r131ce42e64069f574a2a4a9bc1e5c4be4918e5bb
--- lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java	(.../SsoHandler.java)	(revision bb52aeca8f924c447f5b2c69fb05ff4f1aed1412)
+++ lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java	(.../SsoHandler.java)	(revision 131ce42e64069f574a2a4a9bc1e5c4be4918e5bb)
@@ -68,14 +68,12 @@
 
     private static final String REDIRECT_KEY = "io.undertow.servlet.form.auth.redirect.location";
     private static final String KEEP_SESSION_ID_KEY = "lams.keepSessionId";
-    // if this attribute is set in session, credential cache will not be cleared on session destroy in SessionListener
-    public static final String NO_FLUSH_FLAG = "noFlush";
 
     @Override
     public void handleDeployment(final DeploymentInfo deploymentInfo, final ServletContext servletContext) {
 	// If WildFly was run with VM parameter -Dlams.keepSessionId=true
 	// session ID will not be changed after log in
-	// This is necessary for TestHarness to run as it does not process session ID change correctly 
+	// This is necessary for TestHarness to run as it does not process session ID change correctly
 	boolean keepSessionId = Boolean.parseBoolean(System.getProperty(KEEP_SESSION_ID_KEY));
 	if (keepSessionId) {
 	    deploymentInfo.setChangeSessionIdOnLogin(false);
@@ -88,6 +86,7 @@
 	deploymentInfo.addOuterHandlerChainWrapper(handler -> {
 	    // just forward all requests except one for logging in
 	    return Handlers.path().addPrefixPath("/", handler).addExactPath("/j_security_check", exchange -> {
+		// intercept login page
 		ServletRequestContext context = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
 		HttpServletResponse response = (HttpServletResponse) context.getServletResponse();
 		HttpServletRequest request = (HttpServletRequest) context.getServletRequest();
@@ -110,19 +109,19 @@
 		String login = request.getParameter("j_username");
 		User user = null;
 		if (StringUtils.isBlank(login)) {
-		    serveLoginPage(exchange, "/login.jsp?failed=true");
+		    SsoHandler.serveLoginPage(exchange, request, response, "/login.jsp?failed=true");
 		    return;
 		}
 		user = getUserManagementService(session.getServletContext()).getUserByLogin(login);
 		if (user == null) {
-		    serveLoginPage(exchange, "/login.jsp?failed=true");
+		    SsoHandler.serveLoginPage(exchange, request, response, "/login.jsp?failed=true");
 		    return;
 		}
 		UserDTO userDTO = user.getUserDTO();
 		String password = request.getParameter("j_password");
 		if (user.getLockOutTime() != null && user.getLockOutTime().getTime() > System.currentTimeMillis()
 			&& password != null && !password.startsWith("#LAMS")) {
-		    serveLoginPage(exchange, "/login.jsp?lockedOut=true");
+		    SsoHandler.serveLoginPage(exchange, request, response, "/login.jsp?lockedOut=true");
 		    return;
 		}
 
@@ -159,6 +158,9 @@
 
 		}
 
+		// check if user is already logged in
+		HttpSession existingSession = SessionManager.getSessionForLogin(login);
+
 		// store session so UniversalLoginModule can access it
 		SessionManager.startSession(request);
 
@@ -173,18 +175,11 @@
 		if (login.equals(request.getRemoteUser())) {
 		    session.setAttribute(AttributeNames.USER, userDTO);
 
-		    HttpSession existingSession = SessionManager.getSessionForLogin(login);
+		    // if user is already logged in on another browser, log him out
 		    if (existingSession != null) {
-			try {
-			    // tell SessionListener not to flush credential cache on session destroy,
-			    // otherwise this authentication process fails
-			    existingSession.setAttribute(NO_FLUSH_FLAG, true);
-			} catch (IllegalStateException e) {
-			    // if it was already invalidated, do nothing
-			}
-			// remove an existing session for the given user
-			SessionManager.removeSessionByLogin(login, request.isRequestedSessionIdValid());
+			SessionManager.removeSessionByID(existingSession.getId(), true);
 		    }
+
 		    Integer failedAttempts = user.getFailedAttempts();
 		    if (failedAttempts != null && failedAttempts > 0 && password != null
 			    && !password.startsWith("#LAMS")) {
@@ -225,17 +220,9 @@
      * Forward to the login page with a specific error message. Avoids a redirect. Based on the
      * ServletFormAuthenticationMechanism method. The location should be relative to the current
      * context and start with "/" e.g. /login.jsp
-     *
-     * @throws IOException
-     * @throws ServletException
      */
-    protected Integer serveLoginPage(final HttpServerExchange exchange, final String location)
-	    throws ServletException, IOException {
-
-	ServletRequestContext context = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
-	HttpServletRequest request = (HttpServletRequest) context.getServletRequest();
-	HttpServletResponse response = (HttpServletResponse) context.getServletResponse();
-
+    private static Integer serveLoginPage(final HttpServerExchange exchange, final HttpServletRequest request,
+	    final HttpServletResponse response, final String location) throws ServletException, IOException {
 	exchange.getResponseHeaders().add(Headers.CACHE_CONTROL, "no-cache, no-store, must-revalidate");
 	exchange.getResponseHeaders().add(Headers.PRAGMA, "no-cache");
 	exchange.getResponseHeaders().add(Headers.EXPIRES, "0");
@@ -248,7 +235,7 @@
      * Notifies authentication mechanism where it should redirect after log in. Based on
      * ServletFormAuthenticationMechanism method.
      */
-    protected static void handleRedirectBack(ServletRequestContext context, String redirectURL) {
+    private static void handleRedirectBack(ServletRequestContext context, String redirectURL) {
 	/*
 	 * Prevent HTTP Response Splitting attack by sanitizing redirectURL.
 	 * The attack was possible by changing action of login form to, for example,
@@ -278,7 +265,7 @@
     /**
      * Memorises jvmRoute if it is already set.
      */
-    protected static void setJvmRoute(HttpServletRequest request) {
+    private static void setJvmRoute(HttpServletRequest request) {
 	// if previous requests has not created a session, cookies will be null
 	Cookie[] cookies = request.getCookies();
 	if (cookies == null) {
@@ -297,15 +284,15 @@
 	}
     }
 
-    protected IUserManagementService getUserManagementService(ServletContext context) {
+    private IUserManagementService getUserManagementService(ServletContext context) {
 	if (SsoHandler.userManagementService == null) {
 	    WebApplicationContext ctx = WebApplicationContextUtils.getWebApplicationContext(context);
 	    SsoHandler.userManagementService = (UserManagementService) ctx.getBean("userManagementService");
 	}
 	return SsoHandler.userManagementService;
     }
 
-    protected IAuditService getAuditService(ServletContext context) {
+    private IAuditService getAuditService(ServletContext context) {
 	if (SsoHandler.auditService == null) {
 	    WebApplicationContext ctx = WebApplicationContextUtils.getWebApplicationContext(context);
 	    SsoHandler.auditService = (IAuditService) ctx.getBean("auditService");
Index: lams_common/src/java/org/lamsfoundation/lams/web/session/SessionManager.java
===================================================================
diff -u -rbb52aeca8f924c447f5b2c69fb05ff4f1aed1412 -r131ce42e64069f574a2a4a9bc1e5c4be4918e5bb
--- lams_common/src/java/org/lamsfoundation/lams/web/session/SessionManager.java	(.../SessionManager.java)	(revision bb52aeca8f924c447f5b2c69fb05ff4f1aed1412)
+++ lams_common/src/java/org/lamsfoundation/lams/web/session/SessionManager.java	(.../SessionManager.java)	(revision 131ce42e64069f574a2a4a9bc1e5c4be4918e5bb)
@@ -34,6 +34,8 @@
 
 public class SessionManager {
     public static final String SYS_SESSION_COOKIE = "JSESSIONID";
+    // if this attribute is set in session, next call will force the user to log out
+    public static final String LOG_OUT_FLAG = "lamsLogOutFlag";
 
     // singleton
     private static SessionManager sessionManager;
@@ -67,6 +69,10 @@
      */
     public static void startSession(HttpServletRequest request) {
 	HttpSession session = request.getSession();
+	if (session.getAttribute(LOG_OUT_FLAG) != null) {
+	    session.invalidate();
+	    throw new SecurityException("You were logged out");
+	}
 	String sessionId = session.getId();
 	SessionManager.sessionIdMapping.put(sessionId, session);
 	SessionManager.sessionManager.currentSessionIdContainer.set(sessionId);
@@ -95,12 +101,10 @@
 	SessionManager.sessionIdMapping.remove(session.getId());
 
 	if (invalidate) {
-	    try {
-		session.invalidate();
-	    } catch (IllegalStateException e) {
-		System.out.println("SessionMananger invalidation exception");
-		// if it was already invalidated, do nothing
-	    }
+	    // only mark for invalidation, not invalidate
+	    // otherwise on clustered environment we get problems with server-side invalidation of Infinispan distributed sessions
+	    // see WFLY-7281 and WFLY-7229; maybe it will work on WildFly 11
+	    session.setAttribute(LOG_OUT_FLAG, true);
 	}
     }
 
@@ -115,12 +119,10 @@
 	SessionManager.sessionIdMapping.remove(sessionID);
 
 	if (invalidate) {
-	    try {
-		session.invalidate();
-	    } catch (IllegalStateException e) {
-		System.out.println("SessionMananger invalidation exception");
-		// if it was already invalidated, do nothing
-	    }
+	    // only mark for invalidation, not invalidate
+	    // otherwise on clustered environment we get problems with server-side invalidation of Infinispan distributed sessions
+	    // see WFLY-7281 and WFLY-7229; maybe it will work on WildFly 11
+	    session.setAttribute(LOG_OUT_FLAG, true);
 	}
     }