diff --git a/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md b/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md
index 791318d8a..a3393a72a 100644
--- a/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md
+++ b/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md
@@ -598,8 +598,7 @@ In addition, you can tighten password security with the following configuration
  * `Member.password_expiry_days`: Set the number of days that a password should be valid for.
  * `Member.lock_out_after_incorrect_logins`: Number of incorrect logins after which
     the user is blocked from further attempts for the timespan defined in `$lock_out_delay_mins`
- * `Member.lock_out_delay_mins`: Minutes of enforced lockout after incorrect password attempts.
- 		Only applies if `lock_out_after_incorrect_logins` is greater than 0.
+ * `Member.lock_out_delay_mins`: Minutes of enforced lockout after incorrect password attempts. Only applies if `lock_out_after_incorrect_logins` is greater than 0.
  * `Security.remember_username`: Set to false to disable autocomplete on login form
 
 ## Clickjacking: Prevent iframe Inclusion
diff --git a/src/Security/Security.php b/src/Security/Security.php
index 2a4abc86b..b2fe42d1d 100644
--- a/src/Security/Security.php
+++ b/src/Security/Security.php
@@ -2,6 +2,7 @@
 
 namespace SilverStripe\Security;
 
+use BadMethodCallException;
 use LogicException;
 use Page;
 use ReflectionClass;
@@ -420,10 +421,14 @@ class Security extends Controller implements TemplateGlobalProvider
             $message = $messageSet['default'];
         }
 
-        list($messageText, $messageCast) = $parseMessage($message);
-        static::singleton()->setSessionMessage($messageText, ValidationResult::TYPE_WARNING, $messageCast);
+        try {
+            list($messageText, $messageCast) = $parseMessage($message);
+            static::singleton()->setSessionMessage($messageText, ValidationResult::TYPE_WARNING, $messageCast);
 
-        $controller->getRequest()->getSession()->set("BackURL", $_SERVER['REQUEST_URI']);
+            $controller->getRequest()->getSession()->set("BackURL", $_SERVER['REQUEST_URI']);
+        } catch (BadMethodCallException $ex) {
+            // noop, if session was not set yet
+        }
 
         // TODO AccessLogEntry needs an extension to handle permission denied errors
         // Audit logging hook