Index: lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java
===================================================================
diff -u -r552c232da62963a26b3572ad3004a58797f512c0 -ra1d2691d945236c8b50f7ddd67ccccdf435f9f2d
--- lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java	(.../SsoHandler.java)	(revision 552c232da62963a26b3572ad3004a58797f512c0)
+++ lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java	(.../SsoHandler.java)	(revision a1d2691d945236c8b50f7ddd67ccccdf435f9f2d)
@@ -80,7 +80,7 @@
 	if (keepSessionId) {
 	    deploymentInfo.setChangeSessionIdOnLogin(false);
 	}
-	
+
 	// expose servlet context so other classes can use it
 	SessionManager.setServletContext(servletContext);
 
@@ -99,7 +99,6 @@
 
 		// recreate session here in case it was invalidated in login.jsp by sysadmin's LoginAs
 		HttpSession session = request.getSession();
-		System.out.println("SESSION ID BEFORE LOGIN: " + session.getId());
 
 		/*
 		 * Fetch UserDTO before completing request so putting it later in session is done ASAP
@@ -162,11 +161,15 @@
 
 		// store session so UniversalLoginModule can access it
 		SessionManager.startSession(request);
+		
+		String oldSessionID = session.getId();
 
 		// do the logging in UniversalLoginModule or cache
 		handler.handleRequest(exchange);
 
-		System.out.println("SESSION ID AFTER LOGIN: " + session.getId());
+		// session ID was changed after log in
+		SessionManager.updateSessionID(oldSessionID);
+		
 
 		if (login.equals(request.getRemoteUser())) {
 		    session.setAttribute(AttributeNames.USER, userDTO);
@@ -175,13 +178,13 @@
 		    if (existingSession != null) {
 			try {
 			    // tell SessionListener not to flush credential cache on session destroy,
-			    // otherwise this authentication processs fails
+			    // otherwise this authentication process fails
 			    existingSession.setAttribute(NO_FLUSH_FLAG, true);
 			} catch (IllegalStateException e) {
 			    // if it was already invalidated, do nothing
 			}
 			// remove an existing session for the given user
-			SessionManager.removeSessionByLogin(login, true);
+			SessionManager.removeSessionByLogin(login, request.isRequestedSessionIdValid());
 		    }
 		    // register current session as the only one for the given user
 		    SessionManager.addSession(login, session);
@@ -217,8 +220,6 @@
 		}
 
 		SessionManager.endSession();
-
-		System.out.println("SESSION ID AFTER END: " + session.getId());
 	    });
 	});
     }
Index: lams_common/src/java/org/lamsfoundation/lams/web/session/SessionManager.java
===================================================================
diff -u -rac1774a2e7f4b8ce9b79e6447b1b4748f719bc32 -ra1d2691d945236c8b50f7ddd67ccccdf435f9f2d
--- lams_common/src/java/org/lamsfoundation/lams/web/session/SessionManager.java	(.../SessionManager.java)	(revision ac1774a2e7f4b8ce9b79e6447b1b4748f719bc32)
+++ lams_common/src/java/org/lamsfoundation/lams/web/session/SessionManager.java	(.../SessionManager.java)	(revision a1d2691d945236c8b50f7ddd67ccccdf435f9f2d)
@@ -90,17 +90,18 @@
      */
     public static void removeSessionByLogin(String login, boolean invalidate) {
 	HttpSession session = SessionManager.loginMapping.get(login);
-	if (session != null) {
-	    SessionManager.loginMapping.remove(login);
-	    SessionManager.sessionIdMapping.remove(session.getId());
+	if (session == null) {
+	    return;
+	}
+	SessionManager.loginMapping.remove(login);
+	SessionManager.sessionIdMapping.remove(session.getId());
 
-	    if (invalidate) {
-		try {
-		    session.invalidate();
-		} catch (IllegalStateException e) {
-		    System.out.println("SessionMananger invalidation exception");
-		    // if it was already invalidated, do nothing
-		}
+	if (invalidate) {
+	    try {
+		session.invalidate();
+	    } catch (IllegalStateException e) {
+		System.out.println("SessionMananger invalidation exception");
+		// if it was already invalidated, do nothing
 	    }
 	}
     }
@@ -109,22 +110,40 @@
      * Unregisteres the session by the given ID.
      */
     public static void removeSessionByID(String sessionID, boolean invalidate) {
-	HttpSession session = getSession(sessionID);
-	if (session != null) {
-	    SessionManager.sessionIdMapping.remove(sessionID);
+	HttpSession session = SessionManager.getSession(sessionID);
+	if (session == null) {
+	    return;
+	}
+	SessionManager.sessionIdMapping.remove(sessionID);
 
-	    if (invalidate) {
-		try {
-		    session.invalidate();
-		} catch (IllegalStateException e) {
-		    System.out.println("SessionMananger invalidation exception");
-		    // if it was already invalidated, do nothing
-		}
+	if (invalidate) {
+	    try {
+		session.invalidate();
+	    } catch (IllegalStateException e) {
+		System.out.println("SessionMananger invalidation exception");
+		// if it was already invalidated, do nothing
 	    }
 	}
     }
 
     /**
+     * Makes sure that given session ID points to correct session.
+     * It may not be the case after session ID change after login.
+     */
+    public static void updateSessionID(String sessionID) {
+	HttpSession session = SessionManager.getSession(sessionID);
+	if (session == null) {
+	    return;
+	}
+	String newSessionID = session.getId();
+	if (!sessionID.equals(newSessionID)) {
+	    SessionManager.sessionIdMapping.remove(sessionID);
+	    SessionManager.sessionIdMapping.put(newSessionID, session);
+	    SessionManager.sessionManager.currentSessionIdContainer.set(newSessionID);
+	}
+    }
+
+    /**
      * Get system level HttpSession by current session id.
      */
     public static HttpSession getSession() {