diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/Votings.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/Votes.java
similarity index 51%
rename from webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/Votings.java
rename to webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/Votes.java
index 0ef7bee5b..cb1aac074 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/Votings.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/Votes.java
@@ -3,12 +3,14 @@ package org.owasp.webgoat.plugin.challenge5;
 import com.fasterxml.jackson.annotation.JsonView;
 import com.google.common.collect.Lists;
 import com.google.common.collect.Maps;
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.Jwt;
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.SignatureAlgorithm;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
+import org.apache.commons.lang3.StringUtils;
 import org.springframework.http.HttpStatus;
-import org.springframework.http.ResponseEntity;
 import org.springframework.http.converter.json.MappingJacksonValue;
 import org.springframework.web.bind.annotation.*;
 
@@ -19,6 +21,7 @@ import java.util.List;
 import java.util.Map;
 import java.util.concurrent.TimeUnit;
 
+import static org.owasp.webgoat.plugin.Flag.FLAGS;
 import static org.owasp.webgoat.plugin.SolutionConstants.JWT_PASSWORD;
 
 /**
@@ -27,7 +30,9 @@ import static org.owasp.webgoat.plugin.SolutionConstants.JWT_PASSWORD;
  */
 @RestController
 @RequestMapping("/votings")
-public class Votings {
+public class Votes {
+
+    private static String validUsers = "TomJerrySylvester";
 
     @AllArgsConstructor
     @Getter
@@ -43,45 +48,64 @@ public class Votings {
         @JsonView(Views.UserView.class)
         private int numberOfVotes;
         @JsonView(Views.AdminView.class)
-        private String flag;
+        private String flag = FLAGS.get(5);
+        @JsonView(Views.UserView.class)
+        private boolean votingAllowed;
     }
 
     private int totalVotes = 38929;
-    private List votings = Lists.newArrayList(
+    private List votes = Lists.newArrayList(
             new Voting("Admin lost password",
                     "In this challenge you will need to help the admin and find the password in order to login",
-                    "challenge1-small.png", "challenge1.png", 14242, null),
+                    "challenge1-small.png", "challenge1.png", 14242, FLAGS.get(5), true),
             new Voting("Vote for your favourite",
                     "In this challenge ...",
-                    "challenge5-small.png", "challenge5.png", 12345, null),
+                    "challenge5-small.png", "challenge5.png", 12345, FLAGS.get(5), true),
             new Voting("Get is for free",
                     "The objective for this challenge is to buy a Samsung phone for free.",
-                    "challenge2-small.png", "challenge2.png", 12342, null)
+                    "challenge2-small.png", "challenge2.png", 12342, FLAGS.get(5), true)
     );
 
     @GetMapping("/login")
-    @ResponseBody
-    @ResponseStatus(code = HttpStatus.OK)
     public void login(@RequestParam("user") String user, HttpServletResponse response) {
-        Map<String, Object> claims = Maps.newHashMap();
-        claims.put("admin", "false");
-        claims.put("user", user);
-        String token = Jwts.builder()
-                .setIssuedAt(new Date(System.currentTimeMillis() + TimeUnit.DAYS.toDays(10)))
-                .setClaims(claims)
-                .signWith(SignatureAlgorithm.HS512, JWT_PASSWORD)
-                .compact();
-        Cookie cookie = new Cookie("access_token", token);
-        response.addCookie(cookie);
+        if (validUsers.contains(user)) {
+            Map<String, Object> claims = Maps.newHashMap();
+            claims.put("admin", "false");
+            claims.put("user", user);
+            String token = Jwts.builder()
+                    .setIssuedAt(new Date(System.currentTimeMillis() + TimeUnit.DAYS.toDays(10)))
+                    .setClaims(claims)
+                    .signWith(SignatureAlgorithm.HS512, JWT_PASSWORD)
+                    .compact();
+            Cookie cookie = new Cookie("access_token", token);
+            response.addCookie(cookie);
+            response.setStatus(HttpStatus.OK.value());
+        } else {
+            Cookie cookie = new Cookie("access_token", "");
+            response.addCookie(cookie);
+            response.setStatus(HttpStatus.UNAUTHORIZED.value());
+        }
     }
 
     @GetMapping
-    public MappingJacksonValue getVotings(@CookieValue(value = "access_token", required = false) String accessToken) {
-        MappingJacksonValue value = new MappingJacksonValue(votings);
-        if (accessToken == null) {
+    public MappingJacksonValue getVotes(@CookieValue(value = "access_token", required = false) String accessToken) {
+        MappingJacksonValue value = new MappingJacksonValue(votes);
+        if (StringUtils.isEmpty(accessToken)) {
             value.setSerializationView(Views.GuestView.class);
         } else {
-            value.setSerializationView(Views.UserView.class);
+            try {
+                Jwt jwt = Jwts.parser().parse(accessToken);
+                Claims claims = (Claims) jwt.getBody();
+                String user = (String) claims.get("user");
+                boolean isAdmin = Boolean.valueOf((String) claims.get("admin"));
+                if ("Guest".equals(user)) {
+                    value.setSerializationView(Views.GuestView.class);
+                } else {
+                    value.setSerializationView(isAdmin ? Views.AdminView.class : Views.UserView.class);
+                }
+            } catch (IllegalArgumentException e) {
+                value.setSerializationView(Views.GuestView.class);
+            }
         }
         return value;
     }
@@ -93,10 +117,4 @@ public class Votings {
         totalVotes = totalVotes + 1;
         //return
     }
-
-    @GetMapping("/flags")
-    @ResponseBody
-    public ResponseEntity<?> getFlagInformation(@CookieValue("access_token") String accessToken, HttpServletResponse response) {
-        return ResponseEntity.ok().build();
-    }
 }
diff --git a/webgoat-lessons/challenge/src/main/resources/html/Challenge5.html b/webgoat-lessons/challenge/src/main/resources/html/Challenge5.html
index d3127e93e..0c715a599 100644
--- a/webgoat-lessons/challenge/src/main/resources/html/Challenge5.html
+++ b/webgoat-lessons/challenge/src/main/resources/html/Challenge5.html
@@ -15,28 +15,31 @@
             <div class="row">
 
                 <div class="well">
-                    <div class="user-nav pull-right" id="user-and-info-nav" style="margin-right: 75px;">
-                        <div class="dropdown" style="display:inline">
-                            <button type="button" data-toggle="dropdown" class="btn btn-default dropdown-toggle"
-                                    id="user-menu">
+                    <div class="pull-right">
+                        <div class="dropdown">
+                            <button type="button" data-toggle="dropdown" class="btn btn-default dropdown-toggle">
                                 <i class="fa fa-user"></i> <span class="caret"></span>
                             </button>
                             <ul class="dropdown-menu dropdown-menu-left">
-                                <li role="presentation"><a role="menuitem" tabindex="-1" th:text="Unknown">current</a></li>
-                                <li role="presentation" class="divider"></li>
-                                <li role="presentation"><a role="menuitem" tabindex="-1" th:onclick="'javascript:login(\'' + ${#authentication.name} + '\');'"
-                                                           th:text="${#authentication.name}">current</a></li>
-                                <li role="presentation"><a role="menuitem" tabindex="-1" onclick="javascript:login('Tom')"
+                                <li role="presentation"><a role="menuitem" tabindex="-1"
+                                                           onclick="javascript:login('Guest')"
+                                                           th:text="Guest">current</a></li>
+                                <li role="presentation"><a role="menuitem" tabindex="-1"
+                                                           onclick="javascript:login('Tom')"
                                                            th:text="Tom">current</a></li>
-                                <li role="presentation"><a role="menuitem" tabindex="-1" onclick="javascript:login('Jerry')"
+                                <li role="presentation"><a role="menuitem" tabindex="-1"
+                                                           onclick="javascript:login('Jerry')"
                                                            th:text="Jerry">current</a></li>
-                                <li role="presentation"><a role="menuitem" tabindex="-1" onclick="javascript:login('Sylvester')"
+                                <li role="presentation"><a role="menuitem" tabindex="-1"
+                                                           onclick="javascript:login('Sylvester')"
                                                            th:text="Sylvester">current</a></li>
                             </ul>
                         </div>
+                        <div>
+                            <p class="text-right">Welcome back, <b><span id="name"></span></b></p>
+                        </div>
                     </div>
 
-
                     <div>
                         <h3>Vote for your favorite</h3>
                     </div>
diff --git a/webgoat-lessons/challenge/src/main/resources/js/challenge5.js b/webgoat-lessons/challenge/src/main/resources/js/challenge5.js
index c028f5a06..714978f9c 100644
--- a/webgoat-lessons/challenge/src/main/resources/js/challenge5.js
+++ b/webgoat-lessons/challenge/src/main/resources/js/challenge5.js
@@ -1,16 +1,18 @@
 $(document).ready(function () {
-    getVotings()
+    getVotings();
+    login('Guest');
 })
 
 function login(user) {
+    $("#name").text(user);
     $.get("votings/login?user=" + user, function (result, status) {
 
-    })
+    });
 }
 
-
 function getVotings() {
     $.get("votings/", function (result, status) {
 
     })
 }
+