diff --git a/modules/lib/lib-auth/src/main/java/com/enonic/xp/lib/auth/LoginHandler.java b/modules/lib/lib-auth/src/main/java/com/enonic/xp/lib/auth/LoginHandler.java
index ff92bf4c5bc..624858588e1 100644
--- a/modules/lib/lib-auth/src/main/java/com/enonic/xp/lib/auth/LoginHandler.java
+++ b/modules/lib/lib-auth/src/main/java/com/enonic/xp/lib/auth/LoginHandler.java
@@ -9,6 +9,7 @@
 
 import com.enonic.xp.context.Context;
 import com.enonic.xp.context.ContextBuilder;
+import com.enonic.xp.context.LocalScope;
 import com.enonic.xp.portal.PortalRequest;
 import com.enonic.xp.script.bean.BeanContext;
 import com.enonic.xp.script.bean.ScriptBean;
@@ -30,11 +31,6 @@
 public final class LoginHandler
     implements ScriptBean
 {
-    private enum Scope
-    {
-        SESSION, REQUEST, NONE
-    }
-
     private String user;
 
     private String password;
@@ -113,15 +109,26 @@ public LoginResultMapper login()
 
     private void createSession( final AuthenticationInfo authInfo )
     {
-        final Session session = this.context.get().getLocalScope().getSession();
+        final LocalScope localScope = this.context.get().getLocalScope();
+        final Session session = localScope.getSession();
+
         if ( session != null )
         {
-            session.setAttribute( authInfo );
-        }
+            final var attributes = session.getAttributes();
+            session.invalidate();
 
-        if ( this.sessionTimeout != null )
-        {
-            setSessionTimeout();
+            final Session newSession = localScope.getSession();
+
+            if ( newSession != null )
+            {
+                attributes.forEach( newSession::setAttribute );
+                session.setAttribute( authInfo );
+
+                if ( this.sessionTimeout != null )
+                {
+                    setSessionTimeout();
+                }
+            }
         }
     }
 
@@ -149,9 +156,8 @@ private AuthenticationInfo attemptLoginWithAllExistingIdProviders()
     private IdProviders getSortedIdProviders()
     {
         IdProviders idProviders = securityService.get().getIdProviders();
-        return IdProviders.from( idProviders.stream().
-            sorted( Comparator.comparing( u -> u.getKey().toString() ) ).
-            collect( Collectors.toList() ) );
+        return IdProviders.from(
+            idProviders.stream().sorted( Comparator.comparing( u -> u.getKey().toString() ) ).collect( Collectors.toList() ) );
     }
 
     private AuthenticationInfo attemptLogin()
@@ -221,11 +227,12 @@ private AuthenticationInfo authenticate( IdProviderKey idProvider )
     private <T> T runAsAuthenticated( Callable<T> runnable )
     {
         final AuthenticationInfo authInfo = AuthenticationInfo.create().principals( RoleKeys.AUTHENTICATED ).user( User.ANONYMOUS ).build();
-        return ContextBuilder.from( this.context.get() ).
-            authInfo( authInfo ).
-            repositoryId( SystemConstants.SYSTEM_REPO_ID ).
-            branch( SecurityConstants.BRANCH_SECURITY ).build().
-            callWith( runnable );
+        return ContextBuilder.from( this.context.get() )
+            .authInfo( authInfo )
+            .repositoryId( SystemConstants.SYSTEM_REPO_ID )
+            .branch( SecurityConstants.BRANCH_SECURITY )
+            .build()
+            .callWith( runnable );
     }
 
     private boolean isValidEmail( final String value )
@@ -253,4 +260,9 @@ public void initialize( final BeanContext context )
         this.context = context.getBinding( Context.class );
         this.portalRequestSupplier = context.getBinding( PortalRequest.class );
     }
+
+    private enum Scope
+    {
+        SESSION, REQUEST, NONE
+    }
 }
diff --git a/modules/lib/lib-auth/src/test/java/com/enonic/xp/lib/auth/LoginHandlerTest.java b/modules/lib/lib-auth/src/test/java/com/enonic/xp/lib/auth/LoginHandlerTest.java
index 863598bf384..493e3377d21 100644
--- a/modules/lib/lib-auth/src/test/java/com/enonic/xp/lib/auth/LoginHandlerTest.java
+++ b/modules/lib/lib-auth/src/test/java/com/enonic/xp/lib/auth/LoginHandlerTest.java
@@ -23,6 +23,8 @@
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
 
 public class LoginHandlerTest
     extends ScriptTestSupport
@@ -192,6 +194,25 @@ public void testLoginMultipleIdProvidersInOrder()
         assertEquals( "idprovider3", matcher.loginIdProviderAttempts.get( 2 ).toString() );
     }
 
+    @Test
+    public void testSessionInvalidatedOnLogin()
+    {
+        final AuthenticationInfo authInfo = TestDataFixtures.createAuthenticationInfo();
+
+        final IdProviders idProviders =
+            IdProviders.from( IdProvider.create().displayName( "system" ).key( IdProviderKey.from( "system" ) ).build() );
+
+        Mockito.when( this.securityService.authenticate( Mockito.any() ) ).thenReturn( authInfo );
+        Mockito.when( this.securityService.getIdProviders() ).thenReturn( idProviders );
+
+        final SessionMock session = Mockito.spy( new SessionMock() );
+        ContextAccessor.current().getLocalScope().setSession( session );
+
+        runScript( "/lib/xp/examples/auth/login.js" );
+
+        verify( session, times( 5 ) ).invalidate();
+    }
+
     private static class AuthTokenMatcher
         implements ArgumentMatcher<AuthenticationToken>
     {