Index: lams_build/lib/lams/lams.jar
===================================================================
RCS file: /usr/local/cvsroot/lams_build/lib/lams/lams.jar,v
diff -u -r1.420.2.87 -r1.420.2.88
Binary files differ
Index: lams_central/src/java/org/lamsfoundation/lams/web/SessionListener.java
===================================================================
RCS file: /usr/local/cvsroot/lams_central/src/java/org/lamsfoundation/lams/web/SessionListener.java,v
diff -u -r1.7.22.8 -r1.7.22.9
--- lams_central/src/java/org/lamsfoundation/lams/web/SessionListener.java	4 Jul 2016 06:54:44 -0000	1.7.22.8
+++ lams_central/src/java/org/lamsfoundation/lams/web/SessionListener.java	18 Aug 2016 14:09:28 -0000	1.7.22.9
@@ -96,7 +96,9 @@
 	HttpSession session = sessionEvent.getSession();
 	if (session != null) {
 	    UserDTO userDTO = (UserDTO) session.getAttribute(AttributeNames.USER);
-	    if (userDTO != null) {
+	    if (userDTO == null) {
+		SessionManager.removeSessionByID(session.getId(), false);
+	    } else {
 		// this is set in SsoHandler
 		// if user logs in from another browser, cache must not be flushed,
 		// otherwise current authentication process fails
@@ -108,7 +110,7 @@
 
 		    // remove obsolete mappings to session
 		    // the session is either already invalidated or will be very soon by another module
-		    SessionManager.removeSession(login, false);
+		    SessionManager.removeSessionByLogin(login, false);
 		}
 	    }
 	}
Index: lams_central/web/login.jsp
===================================================================
RCS file: /usr/local/cvsroot/lams_central/web/login.jsp,v
diff -u -r1.51.2.21 -r1.51.2.22
--- lams_central/web/login.jsp	18 Aug 2016 09:28:34 -0000	1.51.2.21
+++ lams_central/web/login.jsp	18 Aug 2016 14:09:27 -0000	1.51.2.22
@@ -182,7 +182,7 @@
 				    hs.removeAttribute("password");
 					UserDTO userDTO = (UserDTO) hs.getAttribute("user");
 					if (userDTO != null) {
-						SessionManager.removeSession(userDTO.getLogin(), true);
+					    SessionManager.removeSessionByLogin(userDTO.getLogin(), true);
 					}
 				}
 			%>
Index: lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java
===================================================================
RCS file: /usr/local/cvsroot/lams_common/src/java/org/lamsfoundation/lams/integration/security/Attic/SsoHandler.java,v
diff -u -r1.1.2.18 -r1.1.2.19
--- lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java	6 Jul 2016 10:53:10 -0000	1.1.2.18
+++ lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java	18 Aug 2016 14:09:16 -0000	1.1.2.19
@@ -101,6 +101,7 @@
 
 		// prevent session fixation attack
 		// This will become obsolete on Undertow upgrade to version 1.1.10+
+		SessionManager.removeSessionByID(session.getId(), false);
 		request.changeSessionId();
 
 		// store session so UniversalLoginModule can access it
@@ -118,7 +119,7 @@
 			// otherwise this authentication processs fails
 			existingSession.setAttribute(NO_FLUSH_FLAG, true);
 			// remove an existing session for the given user
-			SessionManager.removeSession(login, true);
+			SessionManager.removeSessionByLogin(login, true);
 		    }
 		    // register current session as the only one for the given user
 		    SessionManager.addSession(login, session);
Index: lams_common/src/java/org/lamsfoundation/lams/web/session/SessionManager.java
===================================================================
RCS file: /usr/local/cvsroot/lams_common/src/java/org/lamsfoundation/lams/web/session/SessionManager.java,v
diff -u -r1.22.2.10 -r1.22.2.11
--- lams_common/src/java/org/lamsfoundation/lams/web/session/SessionManager.java	4 Jul 2016 06:54:20 -0000	1.22.2.10
+++ lams_common/src/java/org/lamsfoundation/lams/web/session/SessionManager.java	18 Aug 2016 14:09:16 -0000	1.22.2.11
@@ -88,7 +88,7 @@
     /**
      * Unregisteres the session for the given user.
      */
-    public static void removeSession(String login, boolean invalidate) {
+    public static void removeSessionByLogin(String login, boolean invalidate) {
 	HttpSession session = SessionManager.loginMapping.get(login);
 	if (session != null) {
 	    SessionManager.loginMapping.remove(login);
@@ -106,6 +106,25 @@
     }
 
     /**
+     * Unregisteres the session by the given ID.
+     */
+    public static void removeSessionByID(String sessionID, boolean invalidate) {
+	HttpSession session = getSession(sessionID);
+	if (session != null) {
+	    SessionManager.sessionIdMapping.remove(sessionID);
+
+	    if (invalidate) {
+		try {
+		    session.invalidate();
+		} catch (IllegalStateException e) {
+		    System.out.println("SessionMananger invalidation exception");
+		    // if it was already invalidated, do nothing
+		}
+	    }
+	}
+    }
+
+    /**
      * Get system level HttpSession by current session id.
      */
     public static HttpSession getSession() {