Index: lams_tool_scribe/src/java/org/lamsfoundation/lams/tool/scribe/web/controller/LearningWebsocketServer.java
===================================================================
diff -u -r18a207719c2aa30f683987fd0bb9176521b704de -r4ac3a79aaf6832ad187d8f25cb5f9857371191be
--- lams_tool_scribe/src/java/org/lamsfoundation/lams/tool/scribe/web/controller/LearningWebsocketServer.java	(.../LearningWebsocketServer.java)	(revision 18a207719c2aa30f683987fd0bb9176521b704de)
+++ lams_tool_scribe/src/java/org/lamsfoundation/lams/tool/scribe/web/controller/LearningWebsocketServer.java	(.../LearningWebsocketServer.java)	(revision 4ac3a79aaf6832ad187d8f25cb5f9857371191be)
@@ -66,7 +66,7 @@
 		try {
 		    // websocket communication bypasses standard HTTP filters, so Hibernate session needs to be initialised manually
 		    HibernateSessionManager.openSession();
-		    
+
 		    Iterator<Entry<Long, Set<Session>>> entryIterator = LearningWebsocketServer.websockets.entrySet()
 			    .iterator();
 		    // go through activities and update registered learners with reports and vote count
@@ -209,12 +209,20 @@
     }
 
     /**
-     * Registeres the Learner for processing by SendWorker.
+     * Registers the Learner for processing by SendWorker.
      */
     @OnOpen
     public void registerUser(Session websocket) throws IOException {
 	Long toolSessionId = Long
 		.valueOf(websocket.getRequestParameterMap().get(AttributeNames.PARAM_TOOL_SESSION_ID).get(0));
+	String login = websocket.getUserPrincipal().getName();
+	ScribeUser user = LearningWebsocketServer.getScribeService().getUserByLoginNameAndSessionId(login,
+		toolSessionId);
+	if (user == null) {
+	    throw new SecurityException("User \"" + login
+		    + "\" is not a participant in Scribe activity with tool session ID " + toolSessionId);
+	}
+
 	Set<Session> sessionWebsockets = LearningWebsocketServer.websockets.get(toolSessionId);
 	if (sessionWebsockets == null) {
 	    sessionWebsockets = ConcurrentHashMap.newKeySet();
@@ -223,8 +231,7 @@
 	sessionWebsockets.add(websocket);
 
 	if (LearningWebsocketServer.log.isDebugEnabled()) {
-	    LearningWebsocketServer.log.debug("User " + websocket.getUserPrincipal().getName()
-		    + " entered Scribe with toolSessionId: " + toolSessionId);
+	    LearningWebsocketServer.log.debug("User " + login + " entered Scribe with toolSessionId: " + toolSessionId);
 	}
 
 	new Thread(() -> {