diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/session/HashSessionManager.java b/jetty-server/src/main/java/org/eclipse/jetty/server/session/HashSessionManager.java
index f3993282ff9..ccb0d67728d 100644
--- a/jetty-server/src/main/java/org/eclipse/jetty/server/session/HashSessionManager.java
+++ b/jetty-server/src/main/java/org/eclipse/jetty/server/session/HashSessionManager.java
@@ -24,6 +24,7 @@ import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.ObjectInputStream;
+import java.net.URI;
 import java.util.ArrayList;
 import java.util.Iterator;
 import java.util.Map;
@@ -436,9 +437,9 @@ public class HashSessionManager extends AbstractSessionManager
     }
 
     /* ------------------------------------------------------------ */
-    public void setStoreDirectory (File dir)
+    public void setStoreDirectory (File dir) throws IOException
     {
-        _storeDir=dir;
+        _storeDir=dir.getCanonicalFile();
     }
 
     /* ------------------------------------------------------------ */
@@ -496,8 +497,9 @@ public class HashSessionManager extends AbstractSessionManager
 
     /* ------------------------------------------------------------ */
     protected synchronized HashedSession restoreSession(String idInCuster)
-    {
+    {        
         File file = new File(_storeDir,idInCuster);
+
         FileInputStream in = null;
         Exception error = null;
         try
@@ -522,13 +524,15 @@ public class HashSessionManager extends AbstractSessionManager
             
             if (error != null)
             {
-                if (isDeleteUnrestorableSessions() && file.exists())
+                if (isDeleteUnrestorableSessions() && file.exists() && file.getParentFile().equals(_storeDir) )
                 {
                     file.delete();
                     __log.warn("Deleting file for unrestorable session "+idInCuster, error);
                 }
                 else
+                {
                     __log.warn("Problem restoring session "+idInCuster, error);
+                }
             }
             else
                file.delete(); //delete successfully restored file
diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/session/HashSessionManagerTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/session/HashSessionManagerTest.java
new file mode 100644
index 00000000000..85af18f9327
--- /dev/null
+++ b/jetty-server/src/test/java/org/eclipse/jetty/server/session/HashSessionManagerTest.java
@@ -0,0 +1,32 @@
+package org.eclipse.jetty.server.session;
+
+import java.io.File;
+
+import junit.framework.Assert;
+
+import org.eclipse.jetty.toolchain.test.MavenTestingUtils;
+import org.junit.Test;
+
+public class HashSessionManagerTest
+{
+
+    @Test
+    public void testDangerousSessionId() throws Exception
+    {
+        final HashSessionManager manager = new HashSessionManager();
+        manager.setDeleteUnrestorableSessions(true);
+        manager.setLazyLoad(true);
+        File testDir = MavenTestingUtils.getTargetTestingDir("hashes");
+        testDir.mkdirs();
+        manager.setStoreDirectory(testDir);
+        
+        MavenTestingUtils.getTargetFile("dangerFile.session").createNewFile();
+        
+        Assert.assertTrue("File should exist!", MavenTestingUtils.getTargetFile("dangerFile.session").exists());
+        
+        manager.getSession("../../dangerFile.session");
+        
+        Assert.assertTrue("File should exist!", MavenTestingUtils.getTargetFile("dangerFile.session").exists());
+
+    }
+}