diff --git a/authentication/source/java/ch/systemsx/cisd/authentication/DefaultSessionManager.java b/authentication/source/java/ch/systemsx/cisd/authentication/DefaultSessionManager.java
index 1b0a15cc08faf8ddcff3e65463ddf887af32d3b8..91fec88c13f826bdf8891743b29eab982b4b7a79 100644
--- a/authentication/source/java/ch/systemsx/cisd/authentication/DefaultSessionManager.java
+++ b/authentication/source/java/ch/systemsx/cisd/authentication/DefaultSessionManager.java
@@ -50,6 +50,11 @@ public class DefaultSessionManager<T extends BasicSession> implements ISessionMa
 
     private static final String LOGIN_PREFIX = "LOGIN: ";
 
+    private static final char SESSION_TOKEN_SEPARATOR = '-';
+
+    // should be different than SESSION_TOKEN_SEPARATOR
+    private static final char TIMESTAMP_TOKEN_SEPARATOR = 'x';
+
     private static final Logger authenticationLog =
             LogFactory.getLogger(LogCategory.AUTH, DefaultSessionManager.class);
 
@@ -147,7 +152,9 @@ public class DefaultSessionManager<T extends BasicSession> implements ISessionMa
     private final T createAndStoreSession(final String user, final Principal principal,
             final long now)
     {
-        final String sessionToken = user + "-" + tokenGenerator.getNewToken(now);
+        final String sessionToken =
+                user + SESSION_TOKEN_SEPARATOR
+                        + tokenGenerator.getNewToken(now, TIMESTAMP_TOKEN_SEPARATOR);
         synchronized (sessions)
         {
             final T session =
@@ -243,7 +250,17 @@ public class DefaultSessionManager<T extends BasicSession> implements ISessionMa
 
         synchronized (sessions)
         {
-            final String user = StringUtils.split(sessionToken, '-')[0];
+            final String[] splittedToken = StringUtils.split(sessionToken, SESSION_TOKEN_SEPARATOR);
+            if (splittedToken.length < 2)
+            {
+                final String msg = "Session token '" + sessionToken + "' is malformed.";
+                if (authenticationLog.isInfoEnabled())
+                {
+                    authenticationLog.info(msg);
+                }
+                throw new InvalidSessionException(msg);
+            }
+            final String user = getUserName(splittedToken);
             final FullSession<T> session = sessions.get(user);
             if (session == null)
             {
@@ -280,6 +297,14 @@ public class DefaultSessionManager<T extends BasicSession> implements ISessionMa
         }
     }
 
+    // take all tokens till the third token counting from the back
+    private static String getUserName(String[] splittedSessionToken)
+    {
+        int exclusiveEndIndex = splittedSessionToken.length - 1;
+        return StringUtils
+                .join(splittedSessionToken, SESSION_TOKEN_SEPARATOR, 0, exclusiveEndIndex);
+    }
+
     public String tryToOpenSession(final String user, final String password)
     {
         checkIfNotBlank(user, "user");