diff --git a/test/functional/SessionCleanupTest.php b/test/functional/SessionCleanupTest.php
new file mode 100644
index 000000000..a51b77bec
--- /dev/null
+++ b/test/functional/SessionCleanupTest.php
@@ -0,0 +1,32 @@
+<?php
+
+class SessionCleanupTest extends UnityWebPortalTestCase
+{
+    public function testSessionCleanup()
+    {
+        global $_SESSION;
+        $this->switchUser("Normal");
+        $first_session_id = session_id();
+        $_SESSION["csrf_tokens"] = ["foobar"];
+        // set last login timestamp to 1970-00-00 00:00
+        // assume duration from epoch until now is greater than config session_cleanup_idle_seconds
+        $_SESSION["LAST_ACTIVITY"] = 0;
+        $this->switchUser("Normal");
+        $this->assertEquals($first_session_id, session_id());
+        $this->assertEmpty($_SESSION["csrf_tokens"]);
+    }
+
+    public function testSessionNotCleanedUp()
+    {
+        global $_SESSION;
+        $this->switchUser("Normal");
+        $first_session_id = session_id();
+        $_SESSION["csrf_tokens"] = ["foobar"];
+        // set last login timestamp to a future timestamp
+        // assume negative time delta is less than config session_cleanup_idle_seconds
+        $_SESSION["LAST_ACTIVITY"] = time() + 999;
+        $this->switchUser("Normal");
+        $this->assertEquals($first_session_id, session_id());
+        $this->assertEqualsCanonicalizing(["foobar"], $_SESSION["csrf_tokens"]);
+    }
+}
diff --git a/test/phpunit-bootstrap.php b/test/phpunit-bootstrap.php
index de4cdf97e..1c371e5ff 100644
--- a/test/phpunit-bootstrap.php
+++ b/test/phpunit-bootstrap.php
@@ -253,7 +253,7 @@ class UnityWebPortalTestCase extends TestCase
 {
     private ?string $last_user_nickname = null;
     private ?string $current_user_nickname = null;
-    private array $uid_to_latest_session_id = [];
+    private array $nickname_to_latest_session_id = [];
     // FIXME these names are wrong
     private static array $UID2ATTRIBUTES = [
         "user1_org1_test" => ["user1@org1.test", "foo", "bar", "user1@org1.test"],
@@ -529,12 +529,13 @@ function switchUser(
         if (session_status() === PHP_SESSION_ACTIVE) {
             session_write_close();
         }
-        if (!$reuse_last_session || !array_key_exists($nickname, $this->uid_to_latest_session_id)) {
+        $previous_session_id = $this->nickname_to_latest_session_id[$nickname] ?? null;
+        if (!$reuse_last_session || !$previous_session_id) {
             $session_id = str_replace(["_", "@", "."], "-", uniqid($eppn . "_"));
-            $this->uid_to_latest_session_id[$uid] = $session_id;
+            $this->nickname_to_latest_session_id[$nickname] = $session_id;
             session_id($session_id);
         } else {
-            session_id($this->uid_to_latest_session_id[$uid]);
+            session_id($previous_session_id);
         }
         $this->last_user_nickname = $this->current_user_nickname;
         $this->current_user_nickname = $nickname;