diff --git a/gateway/api.go b/gateway/api.go
index 53da779b4f9..01174581f74 100644
--- a/gateway/api.go
+++ b/gateway/api.go
@@ -472,7 +472,7 @@ func handleGetDetail(sessionKey, apiID string, byHash bool) (interface{}, int) {
 		sessionManager = spec.SessionManager
 	}
 
-	var session user.SessionState
+	session := user.SessionState{Mutex: &sync.RWMutex{}}
 	var ok bool
 	session, ok = sessionManager.SessionDetail(sessionKey, byHash)
 
diff --git a/gateway/auth_manager.go b/gateway/auth_manager.go
index f28aff97d51..73f55c6c386 100644
--- a/gateway/auth_manager.go
+++ b/gateway/auth_manager.go
@@ -136,7 +136,7 @@ func (b *DefaultAuthorisationManager) Init(store storage.Handler) {
 // KeyAuthorised checks if key exists and can be read into a user.SessionState object
 func (b *DefaultAuthorisationManager) KeyAuthorised(keyName string) (user.SessionState, bool) {
 	jsonKeyVal, err := b.store.GetKey(keyName)
-	var newSession user.SessionState
+	newSession := user.SessionState{Mutex: &sync.RWMutex{}}
 	if err != nil {
 		log.WithFields(logrus.Fields{
 			"prefix":      "auth-mgr",
@@ -280,8 +280,7 @@ func (b *DefaultSessionManager) RemoveSession(keyName string, hashed bool) bool
 func (b *DefaultSessionManager) SessionDetail(keyName string, hashed bool) (user.SessionState, bool) {
 	var jsonKeyVal string
 	var err error
-	var session user.SessionState
-
+	session := user.SessionState{Mutex: &sync.RWMutex{}}
 	// get session by key
 	if hashed {
 		jsonKeyVal, err = b.store.GetRawKey(b.store.GetKeyPrefix() + keyName)
diff --git a/gateway/mw_http_signature_validation.go b/gateway/mw_http_signature_validation.go
index f2da8b774d4..0c893719aba 100644
--- a/gateway/mw_http_signature_validation.go
+++ b/gateway/mw_http_signature_validation.go
@@ -15,6 +15,7 @@ import (
 	"net/url"
 	"strconv"
 	"strings"
+	"sync"
 	"text/scanner"
 	"time"
 
@@ -96,7 +97,7 @@ func (hm *HTTPSignatureValidationMiddleware) ProcessRequest(w http.ResponseWrite
 
 	var secret string
 	var rsaKey *rsa.PublicKey
-	var session user.SessionState
+	session := user.SessionState{Mutex: &sync.RWMutex{}}
 
 	if strings.HasPrefix(fieldValues.Algorthm, "rsa") {
 		var certificateId string
diff --git a/gateway/oauth_manager.go b/gateway/oauth_manager.go
index c20a9839492..424dc5cc2ad 100644
--- a/gateway/oauth_manager.go
+++ b/gateway/oauth_manager.go
@@ -392,7 +392,7 @@ func (o *OAuthManager) HandleAccess(r *http.Request) *osin.Response {
 
 	if ar := o.OsinServer.HandleAccessRequest(resp, r); ar != nil {
 
-		var session *user.SessionState
+		session := &user.SessionState{Mutex: &sync.RWMutex{}}
 		if ar.Type == osin.PASSWORD {
 			username = r.Form.Get("username")
 			password := r.Form.Get("password")