Index: lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java
===================================================================
diff -u -reb1529450ce9483c3a5d6df58aed14e437bb8ee6 -r4db2093b71e0412505523eeec2825c1b0474f66d
--- lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java	(.../SsoHandler.java)	(revision eb1529450ce9483c3a5d6df58aed14e437bb8ee6)
+++ lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java	(.../SsoHandler.java)	(revision 4db2093b71e0412505523eeec2825c1b0474f66d)
@@ -108,18 +108,20 @@
 
 		String login = request.getParameter("j_username");
 		if (StringUtils.isBlank(login)) {
+		    SsoHandler.clearLoginSessionAttributes(session);
 		    SsoHandler.serveLoginPage(exchange, request, response, "/login.jsp?failed=true");
 		    return;
 		}
 		User user = SsoHandler.getUserManagementService(session.getServletContext()).getUserByLogin(login);
 		if (user == null) {
+		    SsoHandler.clearLoginSessionAttributes(session);
 		    SsoHandler.serveLoginPage(exchange, request, response, "/login.jsp?failed=true");
 		    return;
 		}
 		UserDTO userDTO = user.getUserDTO();
 		String password = request.getParameter("j_password");
-		if (user.getLockOutTime() != null && user.getLockOutTime().getTime() > System.currentTimeMillis()
-			&& password != null && !password.startsWith("#LAMS")) {
+		if (user.getLockOutTime() != null && user.getLockOutTime().getTime() > System.currentTimeMillis()) {
+		    SsoHandler.clearLoginSessionAttributes(session);
 		    SsoHandler.serveLoginPage(exchange, request, response, "/login.jsp?lockedOut=true");
 		    return;
 		}
@@ -183,8 +185,7 @@
 		    session.setAttribute(AttributeNames.USER, userDTO);
 
 		    Integer failedAttempts = user.getFailedAttempts();
-		    if (failedAttempts != null && failedAttempts > 0 && password != null
-			    && !password.startsWith("#LAMS")) {
+		    if (failedAttempts != null && failedAttempts > 0) {
 			user.setFailedAttempts(null);
 			user.setLockOutTime(null);
 			SsoHandler.getUserManagementService(session.getServletContext()).save(user);
@@ -193,7 +194,7 @@
 		    SsoHandler.logLogin(userDTO, request);
 		} else {
 		    // clear after failed authentication, if it was set in LoginRequestServlet
-		    session.removeAttribute("integratedLogoutURL");
+		    SsoHandler.clearLoginSessionAttributes(session);
 
 		    Integer failedAttempts = user.getFailedAttempts();
 		    Integer failedAttemptsConfig = Configuration.getAsInt(ConfigurationKeys.FAILED_ATTEMPTS);
@@ -214,6 +215,7 @@
 			SsoHandler.getLogEventService(session.getServletContext()).logEvent(
 				LogEvent.TYPE_ACCOUNT_LOCKED, user.getUserId(), user.getUserId(), null, null, message);
 		    }
+
 		    SsoHandler.getUserManagementService(session.getServletContext()).save(user);
 		}
 
@@ -308,6 +310,13 @@
 		user.getUserID(), user.getUserID(), null, null, message);
     }
 
+    private static void clearLoginSessionAttributes(HttpSession session) {
+	session.removeAttribute("login");
+	session.removeAttribute("password");
+	session.removeAttribute("redirectURL");
+	session.removeAttribute("integratedLogoutURL");
+    }
+
     private static void logLogout(UserDTO user) {
 	String message = new StringBuilder("User ").append(user.getLogin()).append(" (").append(user.getUserID())
 		.append(") got logged out from another browser").toString();