Index: lams_build/lib/lams/lams.jar
===================================================================
diff -u -r0ad005fccfb4565f26a51ccd1bb1c24d0666aa6e -rac1774a2e7f4b8ce9b79e6447b1b4748f719bc32
Binary files differ
Index: lams_central/src/java/org/lamsfoundation/lams/web/SessionListener.java
===================================================================
diff -u -r8b469ff18d080eb020107ad2b0de5ad6b887854c -rac1774a2e7f4b8ce9b79e6447b1b4748f719bc32
--- lams_central/src/java/org/lamsfoundation/lams/web/SessionListener.java	(.../SessionListener.java)	(revision 8b469ff18d080eb020107ad2b0de5ad6b887854c)
+++ lams_central/src/java/org/lamsfoundation/lams/web/SessionListener.java	(.../SessionListener.java)	(revision ac1774a2e7f4b8ce9b79e6447b1b4748f719bc32)
@@ -96,7 +96,9 @@
 	HttpSession session = sessionEvent.getSession();
 	if (session != null) {
 	    UserDTO userDTO = (UserDTO) session.getAttribute(AttributeNames.USER);
-	    if (userDTO != null) {
+	    if (userDTO == null) {
+		SessionManager.removeSessionByID(session.getId(), false);
+	    } else {
 		// this is set in SsoHandler
 		// if user logs in from another browser, cache must not be flushed,
 		// otherwise current authentication process fails
@@ -108,7 +110,7 @@
 
 		    // remove obsolete mappings to session
 		    // the session is either already invalidated or will be very soon by another module
-		    SessionManager.removeSession(login, false);
+		    SessionManager.removeSessionByLogin(login, false);
 		}
 	    }
 	}
Index: lams_central/web/login.jsp
===================================================================
diff -u -r80bb5cfbc56a1be1dc664f47af5a138824696cb2 -rac1774a2e7f4b8ce9b79e6447b1b4748f719bc32
--- lams_central/web/login.jsp	(.../login.jsp)	(revision 80bb5cfbc56a1be1dc664f47af5a138824696cb2)
+++ lams_central/web/login.jsp	(.../login.jsp)	(revision ac1774a2e7f4b8ce9b79e6447b1b4748f719bc32)
@@ -182,7 +182,7 @@
 				    hs.removeAttribute("password");
 					UserDTO userDTO = (UserDTO) hs.getAttribute("user");
 					if (userDTO != null) {
-						SessionManager.removeSession(userDTO.getLogin(), true);
+					    SessionManager.removeSessionByLogin(userDTO.getLogin(), true);
 					}
 				}
 			%>
Index: lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java
===================================================================
diff -u -r86e4e1c98dbf5923f07844e1e9a8dc9aeec45826 -rac1774a2e7f4b8ce9b79e6447b1b4748f719bc32
--- lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java	(.../SsoHandler.java)	(revision 86e4e1c98dbf5923f07844e1e9a8dc9aeec45826)
+++ lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java	(.../SsoHandler.java)	(revision ac1774a2e7f4b8ce9b79e6447b1b4748f719bc32)
@@ -101,6 +101,7 @@
 
 		// prevent session fixation attack
 		// This will become obsolete on Undertow upgrade to version 1.1.10+
+		SessionManager.removeSessionByID(session.getId(), false);
 		request.changeSessionId();
 
 		// store session so UniversalLoginModule can access it
@@ -118,7 +119,7 @@
 			// otherwise this authentication processs fails
 			existingSession.setAttribute(NO_FLUSH_FLAG, true);
 			// remove an existing session for the given user
-			SessionManager.removeSession(login, true);
+			SessionManager.removeSessionByLogin(login, true);
 		    }
 		    // register current session as the only one for the given user
 		    SessionManager.addSession(login, session);
Index: lams_common/src/java/org/lamsfoundation/lams/web/session/SessionManager.java
===================================================================
diff -u -r8b469ff18d080eb020107ad2b0de5ad6b887854c -rac1774a2e7f4b8ce9b79e6447b1b4748f719bc32
--- lams_common/src/java/org/lamsfoundation/lams/web/session/SessionManager.java	(.../SessionManager.java)	(revision 8b469ff18d080eb020107ad2b0de5ad6b887854c)
+++ lams_common/src/java/org/lamsfoundation/lams/web/session/SessionManager.java	(.../SessionManager.java)	(revision ac1774a2e7f4b8ce9b79e6447b1b4748f719bc32)
@@ -88,7 +88,7 @@
     /**
      * Unregisteres the session for the given user.
      */
-    public static void removeSession(String login, boolean invalidate) {
+    public static void removeSessionByLogin(String login, boolean invalidate) {
 	HttpSession session = SessionManager.loginMapping.get(login);
 	if (session != null) {
 	    SessionManager.loginMapping.remove(login);
@@ -106,6 +106,25 @@
     }
 
     /**
+     * Unregisteres the session by the given ID.
+     */
+    public static void removeSessionByID(String sessionID, boolean invalidate) {
+	HttpSession session = getSession(sessionID);
+	if (session != null) {
+	    SessionManager.sessionIdMapping.remove(sessionID);
+
+	    if (invalidate) {
+		try {
+		    session.invalidate();
+		} catch (IllegalStateException e) {
+		    System.out.println("SessionMananger invalidation exception");
+		    // if it was already invalidated, do nothing
+		}
+	    }
+	}
+    }
+
+    /**
      * Get system level HttpSession by current session id.
      */
     public static HttpSession getSession() {