Index: lams_central/src/java/org/lamsfoundation/lams/web/SessionListener.java
===================================================================
diff -u -r131ce42e64069f574a2a4a9bc1e5c4be4918e5bb -r42c6da4ecec87cbdf2b5a7247abca9c918183b8e
--- lams_central/src/java/org/lamsfoundation/lams/web/SessionListener.java	(.../SessionListener.java)	(revision 131ce42e64069f574a2a4a9bc1e5c4be4918e5bb)
+++ lams_central/src/java/org/lamsfoundation/lams/web/SessionListener.java	(.../SessionListener.java)	(revision 42c6da4ecec87cbdf2b5a7247abca9c918183b8e)
@@ -95,12 +95,16 @@
 	HttpSession session = sessionEvent.getSession();
 	if (session != null) {
 	    SessionManager.removeSessionByID(session.getId(), false);
-	    
+
 	    UserDTO userDTO = (UserDTO) session.getAttribute(AttributeNames.USER);
 	    if (userDTO != null) {
 		String login = userDTO.getLogin();
 		Principal principal = new SimplePrincipal(login);
 		SessionListener.authenticationManager.flushCache(principal);
+
+		// remove obsolete mappings to session
+		// the session is either already invalidated or will be very soon by another module
+		SessionManager.removeSessionByLogin(login, false);
 	    }
 	}
     }
Index: lams_central/web/login.jsp
===================================================================
diff -u -r131ce42e64069f574a2a4a9bc1e5c4be4918e5bb -r42c6da4ecec87cbdf2b5a7247abca9c918183b8e
--- lams_central/web/login.jsp	(.../login.jsp)	(revision 131ce42e64069f574a2a4a9bc1e5c4be4918e5bb)
+++ lams_central/web/login.jsp	(.../login.jsp)	(revision 42c6da4ecec87cbdf2b5a7247abca9c918183b8e)
@@ -176,11 +176,12 @@
 				// invalidate session so a new user can be logged in
 				HttpSession hs = SessionManager.getSession();
 				if (hs != null) {
-				    // maybe this attribute removal is not necessary
-				    // since we invalidate the session right after it
-				    hs.removeAttribute("login");
-				    hs.removeAttribute("password");
-				    hs.invalidate();
+					UserDTO userDTO = (UserDTO) hs.getAttribute("user");
+					if (userDTO != null) {
+					    // remove session from mapping
+					    SessionManager.removeSessionByLogin(userDTO.getLogin(), false);
+					}
+					hs.invalidate();
 				}
 			%>
 			<script type="text/javascript">
Index: lams_common/src/java/org/lamsfoundation/lams/web/session/SessionManager.java
===================================================================
diff -u -r131ce42e64069f574a2a4a9bc1e5c4be4918e5bb -r42c6da4ecec87cbdf2b5a7247abca9c918183b8e
--- lams_common/src/java/org/lamsfoundation/lams/web/session/SessionManager.java	(.../SessionManager.java)	(revision 131ce42e64069f574a2a4a9bc1e5c4be4918e5bb)
+++ lams_common/src/java/org/lamsfoundation/lams/web/session/SessionManager.java	(.../SessionManager.java)	(revision 42c6da4ecec87cbdf2b5a7247abca9c918183b8e)
@@ -70,14 +70,31 @@
     public static void startSession(HttpServletRequest request) {
 	HttpSession session = request.getSession();
 	if (session.getAttribute(LOG_OUT_FLAG) != null) {
+	    // session was flagged for invalidation
 	    session.invalidate();
 	    throw new SecurityException("You were logged out");
 	}
+
 	String sessionId = session.getId();
-	SessionManager.sessionIdMapping.put(sessionId, session);
-	SessionManager.sessionManager.currentSessionIdContainer.set(sessionId);
-	if (request.getRemoteUser() != null) {
-	    SessionManager.loginMapping.put(request.getRemoteUser(), session);
+	sessionIdMapping.put(sessionId, session);
+	sessionManager.currentSessionIdContainer.set(sessionId);
+
+	// check if another session for this user already exists
+	String login = request.getRemoteUser();
+	if (login != null) {
+	    HttpSession existingSession = loginMapping.get(login);
+	    // check if it's a different session and if so, which one is newer
+	    if (existingSession != null && !existingSession.getId().equals(sessionId)) {
+		if (session.getCreationTime() > existingSession.getCreationTime()) {
+		    // mark the other session for invalidation
+		    existingSession.setAttribute(LOG_OUT_FLAG, true);
+		} else {
+		    // invalidate this session
+		    session.invalidate();
+		    throw new SecurityException("You were logged out");
+		}
+	    }
+	    loginMapping.put(login, session);
 	}
     }
 
@@ -98,7 +115,6 @@
 	    return;
 	}
 	SessionManager.loginMapping.remove(login);
-	SessionManager.sessionIdMapping.remove(session.getId());
 
 	if (invalidate) {
 	    // only mark for invalidation, not invalidate