diff --git a/lib/load_gen/common.js b/lib/load_gen/common.js
index cfb891898d198fac4f3754a120c639f5e9c23fe5..f26a4dfbc354a55aa1eb5bf18fcdd55c3f29ba56 100644
--- a/lib/load_gen/common.js
+++ b/lib/load_gen/common.js
@@ -46,7 +46,11 @@ exports.authAndKey = function(cfg, user, ctx, email, cb) {
 };
 
 exports.genAssertionAndVerify = function(cfg, user, ctx, email, audience, cb) {
-  var serverTime = new Date(ctx.session.server_time);
+  // assume server time is different from local time, and simulate what
+  // the web client does (calculates local delta from session creation time, and
+  // adds that to server time)
+  var t = new Date(((new Date()).getTime() - ctx.sessionStartedAt) + ctx.session.server_time);
+
   wcli.get(cfg, '/wsapi/list_emails', ctx, undefined, function (r) {
     // just verify that we got a JSON object, we don't care about
     // the contents so much
@@ -57,7 +61,7 @@ exports.genAssertionAndVerify = function(cfg, user, ctx, email, audience, cb) {
     }
 
     var assertion = crypto.getAssertion({
-      now: serverTime,
+      now: t,
       secretKey: ctx.keys[email].keyPair.secretKey,
       cert: ctx.keys[email].cert,
       audience: audience,
diff --git a/lib/wsapi_client.js b/lib/wsapi_client.js
index 7fd111317bc48d4124bb5f892cb3f2f94335a89a..ba560f0012752de92dfb2afe857629c799f6159a 100644
--- a/lib/wsapi_client.js
+++ b/lib/wsapi_client.js
@@ -118,6 +118,7 @@ function withCSRF(cfg, context, cb) {
       try {
         if (r.code !== 200) throw 'http error';
         context.session = JSON.parse(r.body);
+        context.sessionStartedAt = new Date().getTime();
         cb(context.session.csrf_token);
       } catch(e) {
         console.log('error getting csrf token: ', e);