diff --git a/core/src/main/java/org/apache/shiro/mgt/DefaultSecurityManager.java b/core/src/main/java/org/apache/shiro/mgt/DefaultSecurityManager.java
index 1a3ba503c9..ebf05622f1 100644
--- a/core/src/main/java/org/apache/shiro/mgt/DefaultSecurityManager.java
+++ b/core/src/main/java/org/apache/shiro/mgt/DefaultSecurityManager.java
@@ -305,7 +305,7 @@ public Subject login(Subject subject, AuthenticationToken token) throws Authenti
      * @param subject Subject
      */
     protected void beforeSuccessfulLogin(Subject subject) {
-        Session session = subject.getSession(false);
+        Session session = subject != null ? subject.getSession(false) : null;
         if (session != null) {
             Map<Object, Object> attributes = new HashMap<>();
             session.getAttributeKeys().forEach(key -> attributes.put(key, session.getAttribute(key)));