diff --git a/source/java/org/alfresco/web/app/ContextListener.java b/source/java/org/alfresco/web/app/ContextListener.java
index bc509447b2..ccaeee9ba4 100644
--- a/source/java/org/alfresco/web/app/ContextListener.java
+++ b/source/java/org/alfresco/web/app/ContextListener.java
@@ -192,7 +192,7 @@ public class ContextListener implements ServletContextListener, HttpSessionListe
             // invalidate ticket and clear the Security context for this thread
             WebApplicationContext ctx = WebApplicationContextUtils.getRequiredWebApplicationContext(servletContext);
             AuthenticationService authService = (AuthenticationService)ctx.getBean("authenticationService");
-            authService.invalidateTicket(user.getTicket());
+            authService.invalidateTicket(user.getTicket(), event.getSession().getId());
             authService.clearCurrentSecurityContext();
             event.getSession().removeAttribute(userKey);
          }
diff --git a/source/java/org/alfresco/web/app/portlet/AlfrescoFacesPortlet.java b/source/java/org/alfresco/web/app/portlet/AlfrescoFacesPortlet.java
index f4961f5fd0..1b25b75081 100644
--- a/source/java/org/alfresco/web/app/portlet/AlfrescoFacesPortlet.java
+++ b/source/java/org/alfresco/web/app/portlet/AlfrescoFacesPortlet.java
@@ -173,7 +173,7 @@ public class AlfrescoFacesPortlet extends MyFacesGenericPortlet
                   WebApplicationContext ctx = (WebApplicationContext)getPortletContext().getAttribute(
                         WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE);
                   AuthenticationService auth = (AuthenticationService)ctx.getBean("AuthenticationService");
-                  auth.validate(user.getTicket());
+                  auth.validate(user.getTicket(), null);
                   
                   // save last username into portlet preferences, get from LoginBean state
                   LoginBean loginBean = (LoginBean)request.getPortletSession().getAttribute(AuthenticationHelper.LOGIN_BEAN);
@@ -329,7 +329,7 @@ public class AlfrescoFacesPortlet extends MyFacesGenericPortlet
                      logger.debug("Validating ticket: " + user.getTicket());
                   
                   // setup the authentication context
-                  auth.validate(user.getTicket());
+                  auth.validate(user.getTicket(), null);
                }
                
                // do the normal JSF processing
diff --git a/source/java/org/alfresco/web/app/servlet/AuthenticationHelper.java b/source/java/org/alfresco/web/app/servlet/AuthenticationHelper.java
index b65814e716..95a8d3c6f0 100644
--- a/source/java/org/alfresco/web/app/servlet/AuthenticationHelper.java
+++ b/source/java/org/alfresco/web/app/servlet/AuthenticationHelper.java
@@ -93,7 +93,7 @@ public final class AuthenticationHelper
    private static final String PERSON_SERVICE = "personService";
    
    /** cookie names */
-   private static final String COOKIE_ALFUSER = "alfUser";
+   private static final String COOKIE_ALFUSER = "alfUser0";
    
    private static Log logger = LogFactory.getLog(AuthenticationHelper.class);
    
@@ -209,7 +209,7 @@ public final class AuthenticationHelper
                   auth.authenticateAsGuest();
                   
                   // if we get here then Guest access was allowed and successful
-                  setUser(sc, req, AuthenticationUtil.getGuestUserName(), auth.getCurrentTicket(), false);
+                  setUser(sc, req, AuthenticationUtil.getGuestUserName(), auth.getCurrentTicket(session.getId()), false);
                   
                   // Set up the thread context
                   setupThread(sc, req, res);
@@ -228,7 +228,8 @@ public final class AuthenticationHelper
                {
                   // Guest is unable to access either properties on Person
                   AuthenticationService unprotAuthService = (AuthenticationService)wc.getBean(UNPROTECTED_AUTH_SERVICE);
-                  unprotAuthService.invalidateTicket(unprotAuthService.getCurrentTicket());
+                  String sessionId = session.getId();
+                  unprotAuthService.invalidateTicket(unprotAuthService.getCurrentTicket(sessionId), sessionId);
                   unprotAuthService.clearCurrentSecurityContext();
                   logger.warn("Unable to login as Guest: " + accessError.getMessage());
                }
@@ -236,7 +237,8 @@ public final class AuthenticationHelper
                {
                   // Some other kind of serious failure to report
                   AuthenticationService unprotAuthService = (AuthenticationService)wc.getBean(UNPROTECTED_AUTH_SERVICE);
-                  unprotAuthService.invalidateTicket(unprotAuthService.getCurrentTicket());
+                  String sessionId = session.getId();
+                  unprotAuthService.invalidateTicket(unprotAuthService.getCurrentTicket(sessionId), sessionId);
                   unprotAuthService.clearCurrentSecurityContext();
                   throw new AlfrescoRuntimeException("Failed to authenticate as Guest user.", e);
                }
@@ -277,7 +279,7 @@ public final class AuthenticationHelper
       HttpSession session = httpRequest.getSession();
       try
       {
-         auth.validate(ticket);
+         auth.validate(ticket, session.getId());
          
          // We may have previously been authenticated via WebDAV so we may need to 'promote' the user object
          SessionUser user = (SessionUser)session.getAttribute(AuthenticationHelper.AUTHENTICATION_USER);
@@ -295,7 +297,8 @@ public final class AuthenticationHelper
       {
          // Some other kind of serious failure
          AuthenticationService unprotAuthService = (AuthenticationService)wc.getBean(UNPROTECTED_AUTH_SERVICE);
-         unprotAuthService.invalidateTicket(unprotAuthService.getCurrentTicket());
+         String sessionId = session.getId();
+         unprotAuthService.invalidateTicket(unprotAuthService.getCurrentTicket(sessionId), sessionId);
          unprotAuthService.clearCurrentSecurityContext();
          return AuthenticationStatus.Failure;
       }
@@ -403,7 +406,7 @@ public final class AuthenticationHelper
       {
          auth.authenticateAsGuest();
          
-         User user = createUser(ctx, AuthenticationUtil.getGuestUserName(), auth.getCurrentTicket());
+         User user = createUser(ctx, AuthenticationUtil.getGuestUserName(), auth.getCurrentTicket(session.getId()));
          
          // store the User object in the Session - the authentication servlet will then proceed
          session.setAttribute(AuthenticationHelper.AUTHENTICATION_USER, user);
@@ -425,7 +428,8 @@ public final class AuthenticationHelper
       {
          // Guest is unable to access either properties on Person
          AuthenticationService unprotAuthService = (AuthenticationService)ctx.getBean(UNPROTECTED_AUTH_SERVICE);
-         unprotAuthService.invalidateTicket(unprotAuthService.getCurrentTicket());
+         String sessionId = session.getId();
+         unprotAuthService.invalidateTicket(unprotAuthService.getCurrentTicket(sessionId), sessionId);
          unprotAuthService.clearCurrentSecurityContext();
          logger.warn("Unable to login as Guest: " + accessError.getMessage());
       }
@@ -433,7 +437,8 @@ public final class AuthenticationHelper
       {
          // Some other kind of serious failure to report
          AuthenticationService unprotAuthService = (AuthenticationService)ctx.getBean(UNPROTECTED_AUTH_SERVICE);
-         unprotAuthService.invalidateTicket(unprotAuthService.getCurrentTicket());
+         String sessionId = session.getId();
+         unprotAuthService.invalidateTicket(unprotAuthService.getCurrentTicket(sessionId), sessionId);
          unprotAuthService.clearCurrentSecurityContext();
          throw new AlfrescoRuntimeException("Failed to authenticate as Guest user.", e);
       }
@@ -499,7 +504,7 @@ public final class AuthenticationHelper
          AuthenticationService auth = (AuthenticationService) wc.getBean(AUTHENTICATION_SERVICE);
          try
          {
-            auth.validate(sessionUser.getTicket());
+            auth.validate(sessionUser.getTicket(), session.getId());
             if (sessionUser instanceof User)
             {
                user = (User)sessionUser;
@@ -541,7 +546,8 @@ public final class AuthenticationHelper
                   .getBean(AUTHENTICATION_COMPONENT);
             authenticationComponent.setCurrentUser(userId);
             AuthenticationService authenticationService = (AuthenticationService) wc.getBean(AUTHENTICATION_SERVICE);
-            user = setUser(sc, httpRequest, userId, authenticationService.getCurrentTicket(), true);
+            session = httpRequest.getSession();
+            user = setUser(sc, httpRequest, userId, authenticationService.getCurrentTicket(session.getId()), true);
          }
       }
       return user;
@@ -606,4 +612,28 @@ public final class AuthenticationHelper
       }
       return authCookie;
    }
+   
+   /**
+    * Gets the decoded auth cookie value.
+    * 
+    * @param authCookie
+    *           the auth cookie
+    * @return the auth cookie value
+    */
+   public static String getAuthCookieValue(Cookie authCookie)
+   {
+      String authCookieValue = authCookie.getValue();
+      if (authCookieValue == null)
+      {
+         return null;
+      }
+      try
+      {
+         return new String(Base64.decode(authCookieValue), "UTF-8");
+      }
+      catch (UnsupportedEncodingException e)
+      {
+         throw new RuntimeException(e);
+      }
+   }
 }
diff --git a/source/java/org/alfresco/web/app/servlet/HTTPRequestAuthenticationFilter.java b/source/java/org/alfresco/web/app/servlet/HTTPRequestAuthenticationFilter.java
index 7b0e4dae3b..06384e7663 100644
--- a/source/java/org/alfresco/web/app/servlet/HTTPRequestAuthenticationFilter.java
+++ b/source/java/org/alfresco/web/app/servlet/HTTPRequestAuthenticationFilter.java
@@ -236,7 +236,8 @@ public class HTTPRequestAuthenticationFilter implements Filter
         authComponent.setCurrentUser(userName);
         
         // Set up the user information
-        AuthenticationHelper.setUser(context, req, userName, authenticationService.getCurrentTicket(), true);
+        AuthenticationHelper.setUser(context, req, userName, authenticationService.getCurrentTicket(req.getSession()
+                .getId()), true);
 
         // Set the locale using the session
         AuthenticationHelper.setupThread(this.context, req, res);
diff --git a/source/java/org/alfresco/web/bean/LoginBean.java b/source/java/org/alfresco/web/bean/LoginBean.java
index be17e78fd4..660a863993 100644
--- a/source/java/org/alfresco/web/bean/LoginBean.java
+++ b/source/java/org/alfresco/web/bean/LoginBean.java
@@ -35,6 +35,7 @@ import javax.faces.component.UIComponent;
 import javax.faces.context.FacesContext;
 import javax.faces.validator.ValidatorException;
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
 
 import org.alfresco.model.ContentModel;
 import org.alfresco.repo.SessionUser;
@@ -300,10 +301,19 @@ public class LoginBean implements Serializable
             // remove the session invalidated flag (used to remove last username cookie by AuthenticationFilter)
             session.remove(AuthenticationHelper.SESSION_INVALIDATED);
             
+            // Try to make an association between the session ID and the ticket ID (if not possible here, it will
+            // happen during first pass through security filters)
+            String sessionId = null;
+            Object httpSession = fc.getExternalContext().getSession(false);
+            if (httpSession != null && httpSession instanceof HttpSession)
+            {
+                sessionId = ((HttpSession) httpSession).getId();
+            }
+
             // setup User object and Home space ID
             User user = new User(
                     this.username,
-                  this.getAuthenticationService().getCurrentTicket(),
+                  this.getAuthenticationService().getCurrentTicket(sessionId),
                   getPersonService().getPerson(this.username));
             
             NodeRef homeSpaceRef = (NodeRef) this.getNodeService().getProperty(getPersonService().getPerson(this.username), ContentModel.PROP_HOMEFOLDER);
@@ -426,8 +436,8 @@ public class LoginBean implements Serializable
          SessionUser user = (SessionUser)session.get(AuthenticationHelper.AUTHENTICATION_USER);
          if (user != null)
          {
-            // invalidate ticket and clear the Security context for this thread
-            getAuthenticationService().invalidateTicket(user.getTicket());
+             // invalidate ticket and clear the Security context for this thread
+            getAuthenticationService().invalidateTicket(user.getTicket(), null);
             getAuthenticationService().clearCurrentSecurityContext();
          }
          // remove all objects from our session by hand
diff --git a/source/java/org/alfresco/web/bean/wcm/EditFormWizard.java b/source/java/org/alfresco/web/bean/wcm/EditFormWizard.java
index 4e8c82f7c5..6da5c14bce 100644
--- a/source/java/org/alfresco/web/bean/wcm/EditFormWizard.java
+++ b/source/java/org/alfresco/web/bean/wcm/EditFormWizard.java
@@ -306,60 +306,67 @@ public class EditFormWizard
        for (WebProject wp: webProjects)
        {
            ResultSet results = searchRenderingEngineTemplateInWebProject(wp, retd.getName());
-           int resultsCount = results.length();
-           if (resultsCount>0)
+           try
            {
-               //update
-               for (int i=0; i<resultsCount; i++)
+               int resultsCount = results.length();
+               if (resultsCount>0)
                {
-                   NodeRef webformTemplateNodeRef = results.getNodeRef(i);
-                   if (retd.getOutputPathPatternForRendition() != null)
+                   //update
+                   for (int i=0; i<resultsCount; i++)
+                   {
+                       NodeRef webformTemplateNodeRef = results.getNodeRef(i);
+                       if (retd.getOutputPathPatternForRendition() != null)
+                       {
+                          props.clear();
+                          props.put(WCMAppModel.PROP_OUTPUT_PATH_PATTERN, retd.getOutputPathPatternForRendition());
+                          getNodeService().addAspect(webformTemplateNodeRef, WCMAppModel.ASPECT_OUTPUT_PATH_PATTERN, props);
+                       }
+                   }
+               }
+               else
+               {
+                   //just add
+                   String query = "+TYPE:\"" + WCMAppModel.TYPE_WEBFORM + "\"" +
+                                  " +@" + Repository.escapeQName(WCMAppModel.PROP_FORMNAME) + ":\"" + form.getName() + "\"";
+                   
+                   if (LOGGER.isDebugEnabled())
+                      LOGGER.debug("Search web forms query: " + query);
+    
+                   ResultSet webforms = getSearchService().query(wp.getNodeRef().getStoreRef(), SearchService.LANGUAGE_LUCENE, query);
+                   
+                   try
                    {
                       props.clear();
-                      props.put(WCMAppModel.PROP_OUTPUT_PATH_PATTERN, retd.getOutputPathPatternForRendition());
-                      getNodeService().addAspect(webformTemplateNodeRef, WCMAppModel.ASPECT_OUTPUT_PATH_PATTERN, props);
+                      props.put(WCMAppModel.PROP_BASE_RENDERING_ENGINE_TEMPLATE_NAME, 
+                                retd.getName());
+                      for (int i=0; i<webforms.length(); i++)
+                      {
+                          if (LOGGER.isDebugEnabled())
+                             LOGGER.debug("WebForm NodeRef: " + webforms.getNodeRef(i));
+                          
+                          NodeRef templateRef = getNodeService().createNode(webforms.getNodeRef(i),
+                                                                            WCMAppModel.ASSOC_WEBFORMTEMPLATE,
+                                                                            WCMAppModel.ASSOC_WEBFORMTEMPLATE,
+                                                                            WCMAppModel.TYPE_WEBFORMTEMPLATE,
+                                                                            props).getChildRef();
+                          
+                          if (retd.getOutputPathPatternForRendition() != null)
+                          {
+                             props.clear();
+                             props.put(WCMAppModel.PROP_OUTPUT_PATH_PATTERN, retd.getOutputPathPatternForRendition());
+                             getNodeService().addAspect(templateRef, WCMAppModel.ASPECT_OUTPUT_PATH_PATTERN, props);
+                          }
+                      }
+                   }
+                   finally
+                   {
+                      webforms.close();
                    }
                }
            }
-           else
-           {
-               //just add
-               String query = "+TYPE:\"" + WCMAppModel.TYPE_WEBFORM + "\"" +
-                              " +@" + Repository.escapeQName(WCMAppModel.PROP_FORMNAME) + ":\"" + form.getName() + "\"";
-               
-               if (LOGGER.isDebugEnabled())
-                  LOGGER.debug("Search web forms query: " + query);
-
-               ResultSet webforms = getSearchService().query(wp.getNodeRef().getStoreRef(), SearchService.LANGUAGE_LUCENE, query);
-               
-               try
-               {
-                  props.clear();
-                  props.put(WCMAppModel.PROP_BASE_RENDERING_ENGINE_TEMPLATE_NAME, 
-                            retd.getName());
-                  for (int i=0; i<webforms.length(); i++)
-                  {
-                      if (LOGGER.isDebugEnabled())
-                         LOGGER.debug("WebForm NodeRef: " + webforms.getNodeRef(i));
-                      
-                      NodeRef templateRef = getNodeService().createNode(webforms.getNodeRef(i),
-                                                                        WCMAppModel.ASSOC_WEBFORMTEMPLATE,
-                                                                        WCMAppModel.ASSOC_WEBFORMTEMPLATE,
-                                                                        WCMAppModel.TYPE_WEBFORMTEMPLATE,
-                                                                        props).getChildRef();
-                      
-                      if (retd.getOutputPathPatternForRendition() != null)
-                      {
-                         props.clear();
-                         props.put(WCMAppModel.PROP_OUTPUT_PATH_PATTERN, retd.getOutputPathPatternForRendition());
-                         getNodeService().addAspect(templateRef, WCMAppModel.ASPECT_OUTPUT_PATH_PATTERN, props);
-                      }
-                  }
-               }
-               finally
-               {
-                  webforms.close();
-               }
+           finally
+           {
+               results.close();
            }
        }
    }
diff --git a/source/java/org/alfresco/web/sharepoint/auth/BasicAuthenticationHandler.java b/source/java/org/alfresco/web/sharepoint/auth/BasicAuthenticationHandler.java
index 4886f38f8c..ee91c59d43 100644
--- a/source/java/org/alfresco/web/sharepoint/auth/BasicAuthenticationHandler.java
+++ b/source/java/org/alfresco/web/sharepoint/auth/BasicAuthenticationHandler.java
@@ -79,7 +79,7 @@ public class BasicAuthenticationHandler extends AbstractAuthenticationHandler
                 
                 if (mapper.isSiteMember(request, alfrescoContext, username))
                 {
-                    user = new User(username, authenticationService.getCurrentTicket(), personService.getPerson(username));
+                    user = new User(username, authenticationService.getCurrentTicket(session.getId()), personService.getPerson(username));
                     if (session != null)
                         session.setAttribute(USER_SESSION_ATTRIBUTE, user);
                 }
diff --git a/source/java/org/alfresco/web/sharepoint/auth/ntlm/NtlmAuthenticationHandler.java b/source/java/org/alfresco/web/sharepoint/auth/ntlm/NtlmAuthenticationHandler.java
index f9e96a6400..53f909ed2d 100644
--- a/source/java/org/alfresco/web/sharepoint/auth/ntlm/NtlmAuthenticationHandler.java
+++ b/source/java/org/alfresco/web/sharepoint/auth/ntlm/NtlmAuthenticationHandler.java
@@ -159,7 +159,7 @@ public class NtlmAuthenticationHandler extends AbstractAuthenticationHandler imp
         {
             try
             {
-                authenticationService.validate(user.getTicket());
+                authenticationService.validate(user.getTicket(), session.getId());
                 needToAuthenticate = false;
             }
             catch (AuthenticationException e)
@@ -252,7 +252,7 @@ public class NtlmAuthenticationHandler extends AbstractAuthenticationHandler imp
                     {
                         try
                         {
-                            authenticationService.validate(user.getTicket());
+                            authenticationService.validate(user.getTicket(), session.getId());
                             return user;
                         }
                         catch (AuthenticationException ae)
@@ -443,7 +443,7 @@ public class NtlmAuthenticationHandler extends AbstractAuthenticationHandler imp
                 // user already exists - revalidate ticket to authenticate the current user thread
                 try
                 {
-                    authenticationService.validate(user.getTicket());
+                    authenticationService.validate(user.getTicket(), session.getId());
                 }
                 catch (AuthenticationException ex)
                 {
@@ -523,7 +523,7 @@ public class NtlmAuthenticationHandler extends AbstractAuthenticationHandler imp
             String username = AuthenticationUtil.runAs(getUserNameRunAsWork, AuthenticationUtil.SYSTEM_USER_NAME);
 
             authenticationComponent.setCurrentUser(userName);
-            String currentTicket = authenticationService.getCurrentTicket();
+            String currentTicket = authenticationService.getCurrentTicket(session.getId());
 
             // Create the user object to be stored in the session
             user = new User(username, currentTicket, personNodeRef);
diff --git a/source/web/index.jsp b/source/web/index.jsp
index 4f27eb6624..f0e8c07833 100644
--- a/source/web/index.jsp
+++ b/source/web/index.jsp
@@ -60,7 +60,7 @@ if (user != null)
    tx.begin();
 	try
 	{
-      authService.validate(user.getTicket());
+      authService.validate(user.getTicket(), session.getId());
       
       // ensure construction of the FacesContext before attemping a service call
       FacesContext fc = FacesHelper.getFacesContext(request, response, application);
@@ -78,7 +78,7 @@ if (user != null)
       
       // expired ticket
       AuthenticationService unpAuth = (AuthenticationService)context.getBean("authenticationService");
-      unpAuth.invalidateTicket(unpAuth.getCurrentTicket());
+      unpAuth.invalidateTicket(unpAuth.getCurrentTicket(session.getId()), session.getId());
       unpAuth.clearCurrentSecurityContext();
    }
    catch (Throwable e)
@@ -95,7 +95,7 @@ else
 	   authService.authenticateAsGuest();
 		PersonService personService = (PersonService)context.getBean("personService");
       NodeRef guestRef = personService.getPerson(PermissionService.GUEST_AUTHORITY);
-      user = new User(authService.getCurrentUserName(), authService.getCurrentTicket(), guestRef);
+      user = new User(authService.getCurrentUserName(), authService.getCurrentTicket(session.getId()), guestRef);
       session.setAttribute(AuthenticationHelper.AUTHENTICATION_USER, user);
       
       // ensure construction of the FacesContext before attemping a service call
diff --git a/source/web/jsp/login.jsp b/source/web/jsp/login.jsp
index c3d45f0e1f..909fd03095 100644
--- a/source/web/jsp/login.jsp
+++ b/source/web/jsp/login.jsp
@@ -56,9 +56,10 @@
    else
    {      
       // setup value used by JSF bean state ready for login page if we find the cookie
-      if (authCookie != null && authCookie.getValue() != null)
+      String authCookieValue;
+      if (authCookie != null && (authCookieValue = AuthenticationHelper.getAuthCookieValue(authCookie)) != null)
       {
-         session.setAttribute(AuthenticationHelper.SESSION_USERNAME, authCookie.getValue());
+         session.setAttribute(AuthenticationHelper.SESSION_USERNAME, authCookieValue);
       }
    }