diff --git a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdAuthenticator.java b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdAuthenticator.java
index 41fce0be5ee..0642b422a24 100644
--- a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdAuthenticator.java
+++ b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdAuthenticator.java
@@ -246,6 +246,16 @@ public class OpenIdAuthenticator extends LoginAuthenticator
 
         try
         {
+            if (request.isRequestedSessionIdFromURL())
+            {
+                if (LOG.isDebugEnabled())
+                    LOG.debug("Session ID should be cookie for OpenID authentication to work");
+
+                int redirectCode = (baseRequest.getHttpVersion().getVersion() < HttpVersion.HTTP_1_1.getVersion() ? HttpServletResponse.SC_MOVED_TEMPORARILY : HttpServletResponse.SC_SEE_OTHER);
+                baseResponse.sendRedirect(redirectCode, URIUtil.addPaths(request.getContextPath(), _errorPage));
+                return Authentication.SEND_FAILURE;
+            }
+
             // Handle a request for authentication.
             if (isJSecurityCheck(uri))
             {
@@ -288,7 +298,7 @@ public class OpenIdAuthenticator extends LoginAuthenticator
 
                         response.setContentLength(0);
                         int redirectCode = (baseRequest.getHttpVersion().getVersion() < HttpVersion.HTTP_1_1.getVersion() ? HttpServletResponse.SC_MOVED_TEMPORARILY : HttpServletResponse.SC_SEE_OTHER);
-                        baseResponse.sendRedirect(redirectCode, response.encodeRedirectURL(nuri));
+                        baseResponse.sendRedirect(redirectCode, nuri);
                         return openIdAuth;
                     }
                 }
@@ -308,7 +318,7 @@ public class OpenIdAuthenticator extends LoginAuthenticator
                     if (LOG.isDebugEnabled())
                         LOG.debug("auth failed {}", _errorPage);
                     int redirectCode = (baseRequest.getHttpVersion().getVersion() < HttpVersion.HTTP_1_1.getVersion() ? HttpServletResponse.SC_MOVED_TEMPORARILY : HttpServletResponse.SC_SEE_OTHER);
-                    baseResponse.sendRedirect(redirectCode, response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(), _errorPage)));
+                    baseResponse.sendRedirect(redirectCode, URIUtil.addPaths(request.getContextPath(), _errorPage));
                 }
 
                 return Authentication.SEND_FAILURE;
@@ -399,7 +409,7 @@ public class OpenIdAuthenticator extends LoginAuthenticator
             if (LOG.isDebugEnabled())
                 LOG.debug("challenge {}->{}", session.getId(), challengeUri);
             int redirectCode = (baseRequest.getHttpVersion().getVersion() < HttpVersion.HTTP_1_1.getVersion() ? HttpServletResponse.SC_MOVED_TEMPORARILY : HttpServletResponse.SC_SEE_OTHER);
-            baseResponse.sendRedirect(redirectCode, response.encodeRedirectURL(challengeUri));
+            baseResponse.sendRedirect(redirectCode, challengeUri);
 
             return Authentication.SEND_CONTINUE;
         }