diff --git a/lib/wsapi.js b/lib/wsapi.js
index e0bb7145f67429eda5ad600807492fdfbad63d93..9d8f8d825e46071fab9fdc0f366c838d282eccc0 100644
--- a/lib/wsapi.js
+++ b/lib/wsapi.js
@@ -150,7 +150,7 @@ function checkExpiredSession(req, resp, next) {
     // since the server was updated to use lastPasswordResets. Allow the
     // session to pass, otherwise the server upgrade would gratuitously
     // expire innocent sessions.
-    if (token != req.session.lastPasswordReset) {
+    if (token && token != req.session.lastPasswordReset) {
       logger.warn("expired cookie (password changed since issued)");
       req.session.reset();
     }