diff --git a/lib/wsapi/complete_user_creation.js b/lib/wsapi/complete_user_creation.js
index 1996285ec98c13bbbc14d8b3b576ca3364bbccd9..7a65ec488f52322b0010ca8bfd33210324749bcf 100644
--- a/lib/wsapi/complete_user_creation.js
+++ b/lib/wsapi/complete_user_creation.js
@@ -58,20 +58,25 @@ exports.process = function(req, res) {
   }
 
   function postAuthentication() {
-    // the time the email verification is performed, we'll clear the pendingCreation
-    // data on the session.
-    delete req.session.pendingCreation;
-
     db.haveVerificationSecret(req.body.token, function(err, known) {
       if (err) return wsapi.databaseDown(res, err);
 
-      if (!known) return res.json({ success: false} );
+      if (!known) {
+        // clear the pendingCreation token from the session if we find no such
+        // token in the database
+        delete req.session.pendingCreation;
+        return res.json({ success: false} );
+      }
 
       db.gotVerificationSecret(req.body.token, function(err, email, uid) {
         if (err) {
           logger.warn("couldn't complete email verification: " + err);
           wsapi.databaseDown(res, err);
         } else {
+          // clear the pendingCreation token from the session once we
+          // successfully complete user creation
+          delete req.session.pendingCreation;
+
           // At this point, the user is either on the same browser with a token from
           // their email address, OR they've provided their account password.  It's
           // safe to grant them an authenticated session.