diff --git a/web/includes/actions/login.php b/web/includes/actions/login.php
index 00c83d2b2..7c494ff3c 100644
--- a/web/includes/actions/login.php
+++ b/web/includes/actions/login.php
@@ -61,7 +61,7 @@ if ( ('login' == $action) && isset($_REQUEST['username']) && ( ZM_AUTH_TYPE == '
 
   // if captcha existed, it was passed
 
-  if ( ! $user ) {
+  if ( ! isset($user) ) {
     $_SESSION['loginFailed'] = true;
     return;
   }
@@ -71,7 +71,9 @@ if ( ('login' == $action) && isset($_REQUEST['username']) && ( ZM_AUTH_TYPE == '
     zm_session_start();
     $close_session = 1;
   }
-  $_SESSION['remoteAddr'] = $_SERVER['REMOTE_ADDR']; // To help prevent session hijacking
+
+  $username = $_REQUEST['username'];
+  $password = $_REQUEST['password'];
 
   ZM\Info("Login successful for user \"$username\"");
   $password_type = password_type($password);
diff --git a/web/includes/session.php b/web/includes/session.php
index 4832957fa..1e2601f08 100644
--- a/web/includes/session.php
+++ b/web/includes/session.php
@@ -20,6 +20,7 @@ function zm_session_start() {
   ZM\Logger::Debug('Setting cookie parameters to lifetime('.$currentCookieParams['lifetime'].') path('.$currentCookieParams['path'].') domain ('.$currentCookieParams['domain'].') secure('.$currentCookieParams['secure'].') httpOnly(1) name:'.session_name());
 
   session_start();
+  $_SESSION['remoteAddr'] = $_SERVER['REMOTE_ADDR']; // To help prevent session hijacking
   // Do not allow to use expired session ID
   if ( !empty($_SESSION['last_time']) && ($_SESSION['last_time'] < (time() - 180)) ) {
     ZM\Info('Destroying session due to timeout. ');
@@ -67,8 +68,8 @@ function zm_session_clear() {
     setcookie(session_name(), '', time() - 31536000, $p['path'], $p['domain'], $p['secure'], $p['httponly']);
   }
   session_unset();
-  session_write_close();
   session_destroy();
+  session_write_close();
   session_start();
 } // function zm_session_clear()
 ?>