diff --git a/server/http_test.go b/server/http_test.go
index 379f82f489418a6cb2fe0adf6045f348e171e39e..a65b21a4e62d084dce8f6890b31feb6ccc86a5e4 100644
--- a/server/http_test.go
+++ b/server/http_test.go
@@ -195,6 +195,69 @@ func TestHTTP_Login(t *testing.T) {
 	doPostForm(t, httpSrv, c, "/login", v, checkRedirectToTargetService)
 }
 
+func TestHTTP_LoginOnSecondAttempt(t *testing.T) {
+	tmpdir, httpSrv := startTestHTTPServer(t)
+	defer os.RemoveAll(tmpdir)
+	defer httpSrv.Close()
+
+	c := newTestHTTPClient()
+
+	// Simulate an authorization request from a service, expect to
+	// see the login page.
+	v := make(url.Values)
+	v.Set("s", "service.example.com/")
+	v.Set("d", "https://service.example.com/admin/")
+	v.Set("n", "averysecretnonce")
+	doGet(t, httpSrv, c, "/?"+v.Encode(), checkStatusOk, checkLoginPasswordPage)
+
+	// Attempt to login with wrong credentials.
+	v = make(url.Values)
+	v.Set("username", "testuser")
+	v.Set("password", "badpassword")
+	doPostForm(t, httpSrv, c, "/login", v, checkStatusOk, checkLoginPasswordPage)
+
+	// Attempt to login by submitting the form. We expect the
+	// result to be a 302 redirect to the target service.
+	v = make(url.Values)
+	v.Set("username", "testuser")
+	v.Set("password", "password")
+	doPostForm(t, httpSrv, c, "/login", v, checkRedirectToTargetService)
+}
+
+func TestHTTP_LoginAndLogout(t *testing.T) {
+	tmpdir, httpSrv := startTestHTTPServer(t)
+	defer os.RemoveAll(tmpdir)
+	defer httpSrv.Close()
+
+	c := newTestHTTPClient()
+
+	// Simulate an authorization request from a service, expect to
+	// see the login page.
+	v := make(url.Values)
+	v.Set("s", "service.example.com/")
+	v.Set("d", "https://service.example.com/admin/")
+	v.Set("n", "averysecretnonce")
+	doGet(t, httpSrv, c, "/?"+v.Encode(), checkStatusOk, checkLoginPasswordPage)
+
+	// Attempt to login by submitting the form. We expect the
+	// result to be a 302 redirect to the target service.
+	v = make(url.Values)
+	v.Set("username", "testuser")
+	v.Set("password", "password")
+	doPostForm(t, httpSrv, c, "/login", v, checkRedirectToTargetService)
+
+	// Make a logout request.
+	doGet(t, httpSrv, c, "/logout", checkStatusOk)
+	doPostForm(t, httpSrv, c, "/logout", nil, checkStatusOk)
+
+	// This new authorization request should send us to the login page.
+	v = make(url.Values)
+	v.Set("s", "service.example.com/")
+	v.Set("d", "https://service.example.com/admin/")
+	v.Set("n", "averysecretnonce")
+	doGet(t, httpSrv, c, "/?"+v.Encode(), checkStatusOk, checkLoginPasswordPage)
+}
+
 func TestHTTP_LoginOTP(t *testing.T) {
 	tmpdir, httpSrv := startTestHTTPServer(t)
 	defer os.RemoveAll(tmpdir)