Index: lams_central/src/java/org/lamsfoundation/lams/security/UniversalLoginModule.java
===================================================================
diff -u -ra939bcf145b0e4deab5838f87b047df5ca48c92d -r41d88eec269868bbf20fcb5108f1a689f496e558
--- lams_central/src/java/org/lamsfoundation/lams/security/UniversalLoginModule.java	(.../UniversalLoginModule.java)	(revision a939bcf145b0e4deab5838f87b047df5ca48c92d)
+++ lams_central/src/java/org/lamsfoundation/lams/security/UniversalLoginModule.java	(.../UniversalLoginModule.java)	(revision 41d88eec269868bbf20fcb5108f1a689f496e558)
@@ -275,16 +275,29 @@
 	// allow sysadmin to login as another user; in this case, the LAMS shared session will be present,
 	// allowing the following check to work
 	if (UniversalLoginModule.userManagementService.isUserSysAdmin()) {
+	    if (UniversalLoginModule.log.isDebugEnabled()) {
+		UniversalLoginModule.log.debug("Authenticated sysadmin");
+	    }
 	    return true;
 	}
 
 	String userName = getUserName();
 
 	// empty password not allowed
 	if (StringUtils.isBlank(inputPassword)) {
-	    // check for internal authentication made by LoginRequestServlet or LoginAsAction
-	    Long internalAuthenticationTime = UniversalLoginModule.internalAuthenticationTokens.get(userName);
-	    UniversalLoginModule.internalAuthenticationTokens.remove(userName);
+	    if (UniversalLoginModule.log.isDebugEnabled()) {
+		UniversalLoginModule.log.debug("Entered password is blank for user: " + userName);
+	    }
+	    return false;
+	}
+
+	// check for internal authentication made by LoginRequestServlet or LoginAsAction
+	if (inputPassword.startsWith("#")) {
+	    if (UniversalLoginModule.log.isDebugEnabled()) {
+		UniversalLoginModule.log.debug("Authenticating internally user: " + userName);
+	    }
+	    Long internalAuthenticationTime = UniversalLoginModule.internalAuthenticationTokens.get(inputPassword);
+	    UniversalLoginModule.internalAuthenticationTokens.remove(inputPassword);
 	    // internal authentication is valid for 10 seconds
 	    return (internalAuthenticationTime != null) && ((System.currentTimeMillis()
 		    - internalAuthenticationTime) < UniversalLoginModule.INTERNAL_AUTHENTICATION_TIMEOUT);
@@ -293,9 +306,7 @@
 	boolean isValid = false;
 
 	try {
-
 	    User user = UniversalLoginModule.userManagementService.getUserByLogin(userName);
-
 	    // LDAP user provisioning
 	    if (user == null) {
 		if (!Configuration.getAsBoolean(ConfigurationKeys.LDAP_PROVISIONING_ENABLED)) {
@@ -515,7 +526,7 @@
     /**
      * Allows other LAMS modules to confirm user authentication before WildFly proper authentication commences.
      */
-    public static void setAuthenticationToken(String userName) {
-	UniversalLoginModule.internalAuthenticationTokens.put(userName, System.currentTimeMillis());
+    public static void setAuthenticationToken(String token) {
+	UniversalLoginModule.internalAuthenticationTokens.put(token, System.currentTimeMillis());
     }
 }
\ No newline at end of file
Index: lams_central/src/java/org/lamsfoundation/lams/web/LoginAsAction.java
===================================================================
diff -u -ra939bcf145b0e4deab5838f87b047df5ca48c92d -r41d88eec269868bbf20fcb5108f1a689f496e558
--- lams_central/src/java/org/lamsfoundation/lams/web/LoginAsAction.java	(.../LoginAsAction.java)	(revision a939bcf145b0e4deab5838f87b047df5ca48c92d)
+++ lams_central/src/java/org/lamsfoundation/lams/web/LoginAsAction.java	(.../LoginAsAction.java)	(revision 41d88eec269868bbf20fcb5108f1a689f496e558)
@@ -30,6 +30,7 @@
 import org.apache.struts.action.ActionForm;
 import org.apache.struts.action.ActionForward;
 import org.apache.struts.action.ActionMapping;
+import org.lamsfoundation.lams.integration.security.RandomPasswordGenerator;
 import org.lamsfoundation.lams.security.UniversalLoginModule;
 import org.lamsfoundation.lams.usermanagement.User;
 import org.lamsfoundation.lams.usermanagement.dto.UserDTO;
@@ -74,8 +75,10 @@
 
 		    // login.jsp knows what to do with these
 		    request.setAttribute("login", login);
+		    String token = "#" + RandomPasswordGenerator.nextPassword(10);
+		    request.setAttribute("password", token);
 		    // notify the login module that the user has been authenticated correctly
-		    UniversalLoginModule.setAuthenticationToken(login);
+		    UniversalLoginModule.setAuthenticationToken(token);
 		    // redirect to login page
 		    return (new ActionForward("/login.jsp?redirectURL=/lams/index.jsp"));
 		}
Index: lams_central/src/java/org/lamsfoundation/lams/web/LoginRequestServlet.java
===================================================================
diff -u -ra939bcf145b0e4deab5838f87b047df5ca48c92d -r41d88eec269868bbf20fcb5108f1a689f496e558
--- lams_central/src/java/org/lamsfoundation/lams/web/LoginRequestServlet.java	(.../LoginRequestServlet.java)	(revision a939bcf145b0e4deab5838f87b047df5ca48c92d)
+++ lams_central/src/java/org/lamsfoundation/lams/web/LoginRequestServlet.java	(.../LoginRequestServlet.java)	(revision 41d88eec269868bbf20fcb5108f1a689f496e558)
@@ -36,6 +36,7 @@
 import org.lamsfoundation.lams.integration.UserInfoValidationException;
 import org.lamsfoundation.lams.integration.security.AuthenticationException;
 import org.lamsfoundation.lams.integration.security.Authenticator;
+import org.lamsfoundation.lams.integration.security.RandomPasswordGenerator;
 import org.lamsfoundation.lams.integration.service.IntegrationService;
 import org.lamsfoundation.lams.integration.util.LoginRequestDispatcher;
 import org.lamsfoundation.lams.security.UniversalLoginModule;
@@ -158,8 +159,10 @@
 
 	    // login.jsp knows what to do with these
 	    hses.setAttribute("login", login);
+	    String token = "#" + RandomPasswordGenerator.nextPassword(10);
+	    hses.setAttribute("password", token);
 	    // notify the login module that the user has been authenticated correctly
-	    UniversalLoginModule.setAuthenticationToken(login);
+	    UniversalLoginModule.setAuthenticationToken(token);
 
 	    response.sendRedirect("login.jsp?redirectURL=" + redirectURL);
 	} catch (AuthenticationException e) {
Index: lams_central/web/login.jsp
===================================================================
diff -u -ra939bcf145b0e4deab5838f87b047df5ca48c92d -r41d88eec269868bbf20fcb5108f1a689f496e558
--- lams_central/web/login.jsp	(.../login.jsp)	(revision a939bcf145b0e4deab5838f87b047df5ca48c92d)
+++ lams_central/web/login.jsp	(.../login.jsp)	(revision 41d88eec269868bbf20fcb5108f1a689f496e558)
@@ -11,6 +11,7 @@
 --%>
 <c:if test="${empty requestScope.login}">
 	<c:set var="login" value="${sessionScope.login}" />
+	<c:set var="password" value="${sessionScope.password}" />
 </c:if>
 
 <!DOCTYPE html>
@@ -184,7 +185,7 @@
 				
 				<form style="display: none" method="POST" action="j_security_check">
 					<input type="hidden" name="j_username" value="${login}" />
-					<input type="hidden" name="j_password" value="" />
+					<input type="hidden" name="j_password" value="${password}" />
 					<input type="hidden" name="redirectURL" value='<c:out value="${param.redirectURL}" escapeXml="true" />' />
 				</form>
 			</div>