From 2f43c16cc12473df830761ebecc229b7e277f732 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nbaars@xebia.com>
Date: Fri, 28 Aug 2015 16:24:04 +0200
Subject: [PATCH] Clicking on 'LAB: Role Based Access Control' produces
 'Invalid Session' in UI #44

---
 .../org/owasp/webgoat/session/WebSession.java  | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java
index b479a3d7e..879c3af03 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java
@@ -842,13 +842,17 @@ public class WebSession {
             } else if (al instanceof RandomLessonAdapter) {
                 try {
                     RandomLessonAdapter rla = (RandomLessonAdapter) al;
-                    int stage = myParser.getIntParameter(STAGE) - 1;
-                    String[] stages = rla.getStages();
-                    if (stages == null) {
-                        stages = new String[0];
-                    }
-                    if (stage >= 0 && stage < stages.length) {
-                        rla.setStage(this, stages[stage]);
+                    if (!myParser.getRawParameter(STAGE).equals("null")) {
+                        int stage = myParser.getIntParameter(STAGE) - 1;
+                        String[] stages = rla.getStages();
+                        if (stages == null) {
+                            stages = new String[0];
+                        }
+                        if (stage >= 0 && stage < stages.length) {
+                            rla.setStage(this, stages[stage]);
+                        }
+                    } else {
+                        rla.setStage(this, null);
                     }
                 } catch (ParameterNotFoundException pnfe) {
                 }