Index: lams_central/src/java/org/lamsfoundation/lams/web/SessionListener.java
===================================================================
diff -u -rac1774a2e7f4b8ce9b79e6447b1b4748f719bc32 -r6d0f93dea1954ecad93e1331707bd2ad087f8cb5
--- lams_central/src/java/org/lamsfoundation/lams/web/SessionListener.java	(.../SessionListener.java)	(revision ac1774a2e7f4b8ce9b79e6447b1b4748f719bc32)
+++ lams_central/src/java/org/lamsfoundation/lams/web/SessionListener.java	(.../SessionListener.java)	(revision 6d0f93dea1954ecad93e1331707bd2ad087f8cb5)
@@ -97,7 +97,7 @@
 	if (session != null) {
 	    UserDTO userDTO = (UserDTO) session.getAttribute(AttributeNames.USER);
 	    if (userDTO == null) {
-		SessionManager.removeSessionByID(session.getId(), false);
+		SessionManager.removeSessionByID(session.getId(), false, true);
 	    } else {
 		// this is set in SsoHandler
 		// if user logs in from another browser, cache must not be flushed,
Index: lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java
===================================================================
diff -u -rfcc5eca8a605afdc9e927366827553a7862000cd -r6d0f93dea1954ecad93e1331707bd2ad087f8cb5
--- lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java	(.../SsoHandler.java)	(revision fcc5eca8a605afdc9e927366827553a7862000cd)
+++ lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java	(.../SsoHandler.java)	(revision 6d0f93dea1954ecad93e1331707bd2ad087f8cb5)
@@ -20,15 +20,6 @@
  */
 package org.lamsfoundation.lams.integration.security;
 
-import io.undertow.Handlers;
-import io.undertow.server.HttpServerExchange;
-import io.undertow.server.session.Session;
-import io.undertow.servlet.ServletExtension;
-import io.undertow.servlet.api.DeploymentInfo;
-import io.undertow.servlet.handlers.ServletRequestContext;
-import io.undertow.servlet.spec.HttpSessionImpl;
-import io.undertow.util.Headers;
-
 import java.io.IOException;
 import java.security.AccessController;
 import java.util.Date;
@@ -57,6 +48,15 @@
 
 import com.warrenstrange.googleauth.GoogleAuthenticator;
 
+import io.undertow.Handlers;
+import io.undertow.server.HttpServerExchange;
+import io.undertow.server.session.Session;
+import io.undertow.servlet.ServletExtension;
+import io.undertow.servlet.api.DeploymentInfo;
+import io.undertow.servlet.handlers.ServletRequestContext;
+import io.undertow.servlet.spec.HttpSessionImpl;
+import io.undertow.util.Headers;
+
 /**
  * Allows access to LAMS WARs when an user logs in.
  *
@@ -154,7 +154,7 @@
 
 		// prevent session fixation attack
 		// This will become obsolete on Undertow upgrade to version 1.1.10+
-		SessionManager.removeSessionByID(session.getId(), false);
+		SessionManager.removeSessionByID(session.getId(), false, false);
 		request.changeSessionId();
 		session = request.getSession();
 
@@ -224,12 +224,12 @@
      * Forward to the login page with a specific error message. Avoids a redirect. Based on the
      * ServletFormAuthenticationMechanism method. The location should be relative to the current
      * context and start with "/" e.g. /login.jsp
-     * 
+     *
      * @throws IOException
      * @throws ServletException
      */
-    protected Integer serveLoginPage(final HttpServerExchange exchange, final String location) throws ServletException,
-	    IOException {
+    protected Integer serveLoginPage(final HttpServerExchange exchange, final String location)
+	    throws ServletException, IOException {
 
 	ServletRequestContext context = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
 	HttpServletRequest request = (HttpServletRequest) context.getServletRequest();
Index: lams_common/src/java/org/lamsfoundation/lams/web/session/SessionManager.java
===================================================================
diff -u -rc819f2a958c500be2c37059a1781b8c145557310 -r6d0f93dea1954ecad93e1331707bd2ad087f8cb5
--- lams_common/src/java/org/lamsfoundation/lams/web/session/SessionManager.java	(.../SessionManager.java)	(revision c819f2a958c500be2c37059a1781b8c145557310)
+++ lams_common/src/java/org/lamsfoundation/lams/web/session/SessionManager.java	(.../SessionManager.java)	(revision 6d0f93dea1954ecad93e1331707bd2ad087f8cb5)
@@ -110,7 +110,7 @@
     /**
      * Unregisteres the session by the given ID.
      */
-    public static void removeSessionByID(String sessionID, boolean invalidate) {
+    public static void removeSessionByID(String sessionID, boolean invalidate, boolean clearLoginMapping) {
 	HttpSession session = SessionManager.getSession(sessionID);
 	if (session != null) {
 	    SessionManager.sessionIdMapping.remove(sessionID);
@@ -124,6 +124,20 @@
 		}
 	    }
 	}
+	if (clearLoginMapping) {
+	    // it seems that sometimes session does not contain userDTO, but login mapping exists
+	    // we need to try to clear it when destroying the session
+	    String login = null;
+	    for (Entry<String, HttpSession> sessionEntry : SessionManager.loginMapping.entrySet()) {
+		if (sessionID.equals(sessionEntry.getValue().getId())) {
+		    login = sessionEntry.getKey();
+		    break;
+		}
+	    }
+	    if (login != null) {
+		SessionManager.loginMapping.remove(login);
+	    }
+	}
     }
 
     /**