diff --git a/include/class.auth.php b/include/class.auth.php
index ff8b54466e493ebb40ae48723c3668fd9a280d15..a7dbfecbdcb294451544c0716623f07fb1f0f086 100644
--- a/include/class.auth.php
+++ b/include/class.auth.php
@@ -346,6 +346,7 @@ abstract class StaffAuthenticationBackend  extends AuthenticationBackend {
         global $ost;
 
         $_SESSION['_auth']['staff'] = array();
+        unset($_SESSION[':token']['staff']);
         $ost->logDebug('Staff logout',
                 sprintf("%s logged out [%s]",
                     $staff->getUserName(),
@@ -462,6 +463,7 @@ abstract class UserAuthenticationBackend  extends AuthenticationBackend {
         global $ost;
 
         $_SESSION['_auth']['user'] = array();
+        unset($_SESSION[':token']['client']);
         $ost->logDebug('User logout',
                 sprintf("%s logged out [%s]",
                     $user->getUserName(), $_SERVER['REMOTE_ADDR']));
diff --git a/include/class.ostsession.php b/include/class.ostsession.php
index d27debae7a795859e7b37a0596e19516ee4aa1bc..db51e89e771caaaff6fe9bdb1d3e2808b96e548c 100644
--- a/include/class.ostsession.php
+++ b/include/class.ostsession.php
@@ -88,14 +88,14 @@ class osTicketSession {
                 list($this->data)=db_fetch_row($res);
             $this->id = $id;
         }
-        $this->data_hash = md5($this->data);
+        $this->data_hash = md5($id.$this->data);
         return $this->data;
     }
 
     function write($id, $data){
         global $thisstaff;
 
-        if (md5($data) == $this->data_hash)
+        if (md5($id.$data) == $this->data_hash)
             return;
 
         $ttl = ($this && get_class($this) == 'osTicketSession')
diff --git a/include/class.usersession.php b/include/class.usersession.php
index 4e2440dd57831fe5e8a9f53aac0b190f0d5643ca..92e7f4380da5c9381f95a73c40e8c61b637a6cdc 100644
--- a/include/class.usersession.php
+++ b/include/class.usersession.php
@@ -114,9 +114,11 @@ class UserSession {
 class ClientSession extends EndUser {
 
     var $session;
+    var $token;
 
     function __construct($user) {
         parent::__construct($user);
+        $this->token = &$_SESSION[':token']['client'];
         // XXX: Change the key to user-id
         $this->session= new UserSession($user->getUserName());
     }
@@ -127,15 +129,15 @@ class ClientSession extends EndUser {
         if(!$this->getId() || $this->session->getSessionId()!=session_id())
             return false;
 
-        return $this->session->isvalidSession($_SESSION['_client']['token'],$cfg->getClientTimeout(),false)?true:false;
+        return $this->session->isvalidSession($this->token,$cfg->getClientTimeout(),false)?true:false;
     }
 
     function refreshSession(){
-        $time = $this->session->getLastUpdate($_SESSION['_client']['token']);
+        $time = $this->session->getLastUpdate($this->token);
         // Deadband session token updates to once / 30-seconds
         if (time() - $time < 30)
             return;
-        $_SESSION['_client']['token']=$this->getSessionToken();
+        $this->token = $this->getSessionToken();
         //TODO: separate expire time from hash??
     }
 
@@ -156,9 +158,11 @@ class ClientSession extends EndUser {
 class StaffSession extends Staff {
 
     var $session;
+    var $token;
 
     function __construct($var) {
         parent::__construct($var);
+        $this->token = &$_SESSION[':token']['staff'];
         $this->session= new UserSession($this->getId());
     }
 
@@ -168,16 +172,16 @@ class StaffSession extends Staff {
         if(!$this->getId() || $this->session->getSessionId()!=session_id())
             return false;
 
-        return $this->session->isvalidSession($_SESSION['_staff']['token'],$cfg->getStaffTimeout(),$cfg->enableStaffIPBinding())?true:false;
+        return $this->session->isvalidSession($this->token,$cfg->getStaffTimeout(),$cfg->enableStaffIPBinding())?true:false;
     }
 
     function refreshSession(){
-        $time = $this->session->getLastUpdate($_SESSION['_staff']['token']);
+        $time = $this->session->getLastUpdate($this->token);
         // Deadband session token updates to once / 30-seconds
         if (time() - $time < 30)
             return;
 
-        $_SESSION['_staff']['token']=$this->getSessionToken();
+        $this->token=$this->getSessionToken();
     }
 
     function getSession() {