diff --git a/src/main/java/org/olat/core/commons/fullWebApp/BaseFullWebappController.java b/src/main/java/org/olat/core/commons/fullWebApp/BaseFullWebappController.java
index 60ea9a344d06557fd388ecba1f5571623e376411..af2a26fdf304dd6e64574ea1897cca27e537523c 100644
--- a/src/main/java/org/olat/core/commons/fullWebApp/BaseFullWebappController.java
+++ b/src/main/java/org/olat/core/commons/fullWebApp/BaseFullWebappController.java
@@ -237,6 +237,8 @@ public class BaseFullWebappController extends BasicController implements DTabs,
     		listenTo(assessmentGuardCtrl);
     		assessmentGuardCtrl.getInitialComponent();
     		lockStatus = LockStatus.popup;
+    		//as security remove all 
+    		removeRedirects(usess);
     	} else {
     		// present an overlay with configured afterlogin-controllers or nothing if none configured.
     		// presented only once per session.
@@ -278,6 +280,20 @@ public class BaseFullWebappController extends BasicController implements DTabs,
 		GlobalStickyMessage.registerForGlobalStickyMessage(this, getIdentity());	
 	}
 	
+	/**
+	 * Remove all possible redirect commands in session.
+	 * 
+	 * @param usess
+	 */
+	private void removeRedirects(UserSession usess) {
+   		usess.removeEntry("AuthDispatcher:entryUrl");
+    	usess.removeEntry("AuthDispatcher:businessPath");
+    	usess.removeEntry("redirect-bc");
+    	usess.removeEntryFromNonClearedStore("AuthDispatcher:entryUrl");
+    	usess.removeEntryFromNonClearedStore("AuthDispatcher:businessPath");
+    	usess.removeEntryFromNonClearedStore("redirect-bc");
+	}
+	
 	private void initializeBase(UserRequest ureq, WindowManager winman, ComponentCollection mainPanel) {
 		// component-id of mainPanel for the window id
 		mainVc.contextPut("o_winid", mainPanel.getDispatchID());