Index: lams_central/src/java/org/lamsfoundation/lams/security/UniversalLoginModule.java
===================================================================
diff -u -r7475d08afc280b5e2e5ddf04e8bf35e3166aaf80 -r7342460aa103c2f8ecd74a5ddfacbaad6b483f5c
--- lams_central/src/java/org/lamsfoundation/lams/security/UniversalLoginModule.java	(.../UniversalLoginModule.java)	(revision 7475d08afc280b5e2e5ddf04e8bf35e3166aaf80)
+++ lams_central/src/java/org/lamsfoundation/lams/security/UniversalLoginModule.java	(.../UniversalLoginModule.java)	(revision 7342460aa103c2f8ecd74a5ddfacbaad6b483f5c)
@@ -85,7 +85,7 @@
     private char[] credential;
 
     private static String dsJndiName;
-    private static final Map<String, Long> internalAuthenticationTokens = new TreeMap<String, Long>();
+    private static final Map<String, Long> internalAuthenticationTokens = new TreeMap<>();
 
     private static DatabaseAuthenticator databaseAuthenticator;
     private static IThemeService themeService;
@@ -296,20 +296,25 @@
 	    return false;
 	}
 
+	boolean isValid = false;
+
 	// check for internal authentication made by LoginRequestServlet or LoginAsAction
 	if (inputPassword.startsWith("#LAMS")) {
 	    if (UniversalLoginModule.log.isDebugEnabled()) {
 		UniversalLoginModule.log.debug("Authenticating internally user: " + userName);
 	    }
+
 	    Long internalAuthenticationTime = UniversalLoginModule.internalAuthenticationTokens.get(inputPassword);
-	    UniversalLoginModule.internalAuthenticationTokens.remove(inputPassword);
+
 	    // internal authentication is valid for 10 seconds
-	    return (internalAuthenticationTime != null) && ((System.currentTimeMillis()
+	    isValid = (internalAuthenticationTime != null) && ((System.currentTimeMillis()
 		    - internalAuthenticationTime) < UniversalLoginModule.INTERNAL_AUTHENTICATION_TIMEOUT);
+	    if (!isValid) {
+		UniversalLoginModule.internalAuthenticationTokens.remove(inputPassword);
+	    }
+	    return isValid;
 	}
 
-	boolean isValid = false;
-
 	try {
 	    User user = UniversalLoginModule.userManagementService.getUserByLogin(userName);
 	    // LDAP user provisioning
@@ -419,7 +424,7 @@
      */
     private Group[] getRoleSets() throws LoginException {
 	String userName = getUserName();
-	Map<String, Group> setsMap = new HashMap<String, Group>();
+	Map<String, Group> setsMap = new HashMap<>();
 	Connection conn = null;
 	PreparedStatement ps = null;
 	ResultSet rs = null;
@@ -438,7 +443,7 @@
 		throw new FailedLoginException("No matching user name found in roles: " + userName);
 	    }
 
-	    ArrayList<String> groupMembers = new ArrayList<String>();
+	    ArrayList<String> groupMembers = new ArrayList<>();
 	    do {
 		String name = rs.getString(1);
 		String groupName = rs.getString(2);
Index: lams_central/web/login.jsp
===================================================================
diff -u -r14414dbc33c3338acb9b1ac26bb20aa7b4b8f19c -r7342460aa103c2f8ecd74a5ddfacbaad6b483f5c
--- lams_central/web/login.jsp	(.../login.jsp)	(revision 14414dbc33c3338acb9b1ac26bb20aa7b4b8f19c)
+++ lams_central/web/login.jsp	(.../login.jsp)	(revision 7342460aa103c2f8ecd74a5ddfacbaad6b483f5c)
@@ -192,9 +192,8 @@
 					UserDTO userDTO = (UserDTO) hs.getAttribute("user");
 					if (userDTO != null) {
 					    // remove session from mapping
-					    SessionManager.removeSessionByLogin(userDTO.getLogin(), false);
+					    SessionManager.removeSessionByLogin(userDTO.getLogin(), true);
 					}
-					hs.invalidate();
 				}
 			%>
 			<script type="text/javascript">
Index: lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java
===================================================================
diff -u -r7475d08afc280b5e2e5ddf04e8bf35e3166aaf80 -r7342460aa103c2f8ecd74a5ddfacbaad6b483f5c
--- lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java	(.../SsoHandler.java)	(revision 7475d08afc280b5e2e5ddf04e8bf35e3166aaf80)
+++ lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java	(.../SsoHandler.java)	(revision 7342460aa103c2f8ecd74a5ddfacbaad6b483f5c)
@@ -99,7 +99,6 @@
 
 		// recreate session here in case it was invalidated in login.jsp by sysadmin's LoginAs
 		HttpSession session = request.getSession();
-
 		/*
 		 * Fetch UserDTO before completing request so putting it later in session is done ASAP
 		 * Response is sent in another thread and if UserDTO is not present in session when browser completes
@@ -161,26 +160,21 @@
 
 		// check if user is already logged in
 		HttpSession existingSession = SessionManager.getSessionForLogin(login);
-
+		
 		// store session so UniversalLoginModule can access it
 		SessionManager.startSession(request);
 
 		String oldSessionID = session.getId();
-
+		
 		// do the logging in UniversalLoginModule or cache
 		handler.handleRequest(exchange);
-
+		
 		// session ID was changed after log in
 		SessionManager.updateSessionID(oldSessionID);
 
 		if (login.equals(request.getRemoteUser())) {
 		    session.setAttribute(AttributeNames.USER, userDTO);
 
-		    // if user is already logged in on another browser, log him out
-		    if (existingSession != null) {
-			SessionManager.removeSessionByID(existingSession.getId(), true, false);
-		    }
-
 		    Integer failedAttempts = user.getFailedAttempts();
 		    if (failedAttempts != null && failedAttempts > 0 && password != null
 			    && !password.startsWith("#LAMS")) {
Index: lams_common/src/java/org/lamsfoundation/lams/web/session/SessionManager.java
===================================================================
diff -u -r027491111fd57ce314b950c467ff86b31d5d505e -r7342460aa103c2f8ecd74a5ddfacbaad6b483f5c
--- lams_common/src/java/org/lamsfoundation/lams/web/session/SessionManager.java	(.../SessionManager.java)	(revision 027491111fd57ce314b950c467ff86b31d5d505e)
+++ lams_common/src/java/org/lamsfoundation/lams/web/session/SessionManager.java	(.../SessionManager.java)	(revision 7342460aa103c2f8ecd74a5ddfacbaad6b483f5c)
@@ -39,8 +39,6 @@
 
 public class SessionManager {
     public static final String SYS_SESSION_COOKIE = "JSESSIONID";
-    // if this attribute is set in session, next call will force the user to log out
-    public static final String LOG_OUT_FLAG = "lamsLogOutFlag";
 
     // singleton
     private static SessionManager sessionManager;
@@ -74,11 +72,6 @@
      */
     public static void startSession(HttpServletRequest request) {
 	HttpSession session = request.getSession();
-	if (session.getAttribute(LOG_OUT_FLAG) != null) {
-	    // session was flagged for invalidation
-	    session.invalidate();
-	    throw new SecurityException("You were logged out");
-	}
 
 	String sessionId = session.getId();
 	sessionIdMapping.put(sessionId, session);
@@ -91,8 +84,8 @@
 	    // check if it's a different session and if so, which one is newer
 	    if (existingSession != null && !existingSession.getId().equals(sessionId)) {
 		if (session.getCreationTime() > existingSession.getCreationTime()) {
-		    // mark the other session for invalidation
-		    existingSession.setAttribute(LOG_OUT_FLAG, true);
+		    // invalidate the other session
+		    existingSession.invalidate();
 		} else {
 		    // invalidate this session
 		    session.invalidate();
@@ -122,10 +115,12 @@
 	SessionManager.loginMapping.remove(login);
 
 	if (invalidate) {
-	    // only mark for invalidation, not invalidate
-	    // otherwise on clustered environment we get problems with server-side invalidation of Infinispan distributed sessions
-	    // see WFLY-7281 and WFLY-7229; maybe it will work on WildFly 11
-	    session.setAttribute(LOG_OUT_FLAG, true);
+	    try {
+		session.invalidate();
+	    } catch (IllegalStateException e) {
+		System.out.println("SessionMananger invalidation exception");
+		// if it was already invalidated, do nothing
+	    }
 	}
     }
 
@@ -136,12 +131,13 @@
 	HttpSession session = SessionManager.getSession(sessionID);
 	if (session != null) {
 	    SessionManager.sessionIdMapping.remove(sessionID);
-
 	    if (invalidate) {
-		// only mark for invalidation, not invalidate
-		// otherwise on clustered environment we get problems with server-side invalidation of Infinispan distributed sessions
-		// see WFLY-7281 and WFLY-7229; maybe it will work on WildFly 11
-		session.setAttribute(LOG_OUT_FLAG, true);
+		try {
+		    session.invalidate();
+		} catch (IllegalStateException e) {
+		    System.out.println("SessionMananger invalidation exception");
+		    // if it was already invalidated, do nothing
+		}
 	    }
 	}
 	if (clearLoginMapping) {