diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 78f5d9d4f1e..b5f88def445 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -199,12 +199,17 @@ $sessiontimeout='DOLSESSTIMEOUT_'.$prefix;
 if (! empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime',$_COOKIE[$sessiontimeout]);
 session_name($sessionname);
 session_set_cookie_params(0, '/', null, false, true);   // Add tag httponly on session cookie
-session_start();
-if (ini_get('register_globals'))    // Deprecated in 5.3 and removed in 5.4. To solve bug in using $_SESSION
+// This create lock released until session_write_close() or end of page.
+// We need this lock as long as we read/write $_SESSION ['vars']. We can close released when finished.
+if (! defined('NOSESSION'))
 {
-    foreach ($_SESSION as $key=>$value)
+    session_start();
+    if (ini_get('register_globals'))    // Deprecated in 5.3 and removed in 5.4. To solve bug in using $_SESSION
     {
-        if (isset($GLOBALS[$key])) unset($GLOBALS[$key]);
+        foreach ($_SESSION as $key=>$value)
+        {
+            if (isset($GLOBALS[$key])) unset($GLOBALS[$key]);
+        }
     }
 }
 
diff --git a/htdocs/master.inc.php b/htdocs/master.inc.php
index ecb1c46478f..fc1c41895a4 100644
--- a/htdocs/master.inc.php
+++ b/htdocs/master.inc.php
@@ -142,33 +142,34 @@ if (! defined('NOREQUIREUSER'))
  * Load object $conf
  * After this, all parameters conf->global->CONSTANTS are loaded
  */
+
+// By default conf->entity is 1, but we change this if we ask another value.
+if (session_id() && ! empty($_SESSION["dol_entity"]))			// Entity inside an opened session
+{
+	$conf->entity = $_SESSION["dol_entity"];
+}
+else if (! empty($_ENV["dol_entity"]))							// Entity inside a CLI script
+{
+	$conf->entity = $_ENV["dol_entity"];
+}
+else if (isset($_POST["loginfunction"]) && GETPOST("entity"))	// Just after a login page
+{
+	$conf->entity = GETPOST("entity",'int');
+}
+else if (defined('DOLENTITY') && is_numeric(DOLENTITY))			// For public page with MultiCompany module
+{
+	$conf->entity = DOLENTITY;
+}
+else if (!empty($_COOKIE['DOLENTITY']))						    // For other application with MultiCompany module (TODO: We should remove this. entity to use should never be stored into client side)
+{
+	$conf->entity = $_COOKIE['DOLENTITY'];
+}
+
+// Sanitize entity
+if (! is_numeric($conf->entity)) $conf->entity=1;
+
 if (! defined('NOREQUIREDB'))
 {
-	// By default conf->entity is 1, but we change this if we ask another value.
-	if (session_id() && ! empty($_SESSION["dol_entity"]))			// Entity inside an opened session
-	{
-		$conf->entity = $_SESSION["dol_entity"];
-	}
-	else if (! empty($_ENV["dol_entity"]))							// Entity inside a CLI script
-	{
-		$conf->entity = $_ENV["dol_entity"];
-	}
-	else if (isset($_POST["loginfunction"]) && GETPOST("entity"))	// Just after a login page
-	{
-		$conf->entity = GETPOST("entity",'int');
-	}
-	else if (defined('DOLENTITY') && is_numeric(DOLENTITY))			// For public page with MultiCompany module
-	{
-		$conf->entity = DOLENTITY;
-	}
-	else if (!empty($_COOKIE['DOLENTITY']))						// For other application with MultiCompany module (TODO: We should remove this. entity to use should never be stored into client side)
-	{
-		$conf->entity = $_COOKIE['DOLENTITY'];
-	}
-
-	// Sanitize entity
-	if (! is_numeric($conf->entity)) $conf->entity=1;
-
 	//print "Will work with data into entity instance number '".$conf->entity."'";
 
 	// Here we read database (llx_const table) and define $conf->global->XXX var.
diff --git a/htdocs/public/test/test_sessionlock.php b/htdocs/public/test/test_sessionlock.php
new file mode 100644
index 00000000000..b0eb25d831e
--- /dev/null
+++ b/htdocs/public/test/test_sessionlock.php
@@ -0,0 +1,36 @@
+<?php
+
+if (! defined('NOREQUIREUSER'))  define('NOREQUIREUSER','1');
+if (! defined('NOREQUIREDB'))    define('NOREQUIREDB','1');
+if (! defined('NOREQUIRESOC'))   define('NOREQUIRESOC','1');
+if (! defined('NOREQUIRETRAN'))  define('NOREQUIRETRAN','1');
+if (! defined('NOSTYLECHECK'))   define('NOSTYLECHECK','1');		// Do not check style html tag into posted data
+if (! defined('NOCSRFCHECK'))    define('NOCSRFCHECK','1');			// Do not check anti CSRF attack test
+if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1');		// Do not check anti POST attack test
+if (! defined('NOREQUIREMENU'))  define('NOREQUIREMENU','1');		// If there is no need to load and show top and left menu
+if (! defined('NOREQUIREHTML'))  define('NOREQUIREHTML','1');		// If we don't need to load the html.form.class.php
+if (! defined('NOREQUIREAJAX'))  define('NOREQUIREAJAX','1');       // Do not load ajax.lib.php library
+if (! defined("NOLOGIN"))        define("NOLOGIN",'1');				// If this page is public (can be called outside logged session)
+// If you don't need session management (can't be logged if no session used). You must also set
+// NOCSRFCHECK, NOTOKENRENEWAL, NOLOGIN,
+// Disable module with GETPOST('disablemodules') won't work. Variable 'dol_...' will not be set.
+// $_SESSION are then simple vars if sessions are not active.
+if (! defined("NOSESSION"))      define("NOSESSION",'1');
+
+define('REQUIRE_JQUERY_MULTISELECT','select2');
+
+print PHP_SESSION_DISABLED;
+print PHP_SESSION_NONE;
+print PHP_SESSION_ACTIVE;
+print '<br>';
+
+print session_status();
+require '../../main.inc.php';
+print session_status();
+print '<br>';
+
+//print 'a'.$_SESSION['disablemodules'].'b';
+
+print 'This page is visible. It means you are not locked.';
+
+//session_write_close();