diff --git a/webapp/controller/BaseAuthedController.class.php b/webapp/controller/BaseAuthedController.class.php
index 4a8a2ea2..f93f919e 100644
--- a/webapp/controller/BaseAuthedController.class.php
+++ b/webapp/controller/BaseAuthedController.class.php
@@ -30,7 +30,20 @@ class BaseAuthedController extends BaseController {
         if (!phpcommon\isValidSessionId($this->accountId,
                                         $this->sessionId)) {
             phpcommon\sendError(500, 'invalid session_id');
-           die();
+            die();
+        }
+        if (!(getReqVal('c', '') == 'User' && getReqVal('c', '') == 'login')) {
+            $r = $this->_getRedis($this->_getAccountId());
+            $sessionId = $r->get(LAST_SESSION_KEY . $this->_getAccountId());
+            if (empty($sessionId)) {
+                $this->updateSession(myself()->_getAccountId(),
+                                     myself()->_getSessionId());
+            } else if ($sessionId != $this->_getSessionId()) {
+                error_log('session expiration' . json_encode(
+                    $_REQUEST
+                ));
+                phpcommon\sendError(1001, 'session expiration');
+            }
         }
         if (!(getReqVal('c', '') == 'User' && getReqVal('c', '') == 'login')) {
             $r = $this->_getRedis($this->_getAccountId());
@@ -50,8 +63,8 @@ class BaseAuthedController extends BaseController {
     protected function updateSession($accountId, $sessionId)
     {
         $r = $this->_getRedis($this->_getAccountId());
-        $r->set(LAST_SESSION_KEY . $this->_getAccountId());
-        $r->pexpire(LAST_SESSION_KEY . $this->_getAccountId(), 3600 * 24);
+        $r->set(LAST_SESSION_KEY . $this->_getAccountId(), $sessionId);
+        $r->pexpire(LAST_SESSION_KEY . $this->_getAccountId(), 1000 * 3600 * 24);
     }
 
     public function _getAccountId()
diff --git a/webapp/controller/UserController.class.php b/webapp/controller/UserController.class.php
index 33d3d3d9..8cd9d645 100644
--- a/webapp/controller/UserController.class.php
+++ b/webapp/controller/UserController.class.php
@@ -24,8 +24,8 @@ class UserController extends BaseAuthedController {
 
     public function login()
     {
-        $this->updateSession(myself()->_getAccountId(), myself()->_getSessionId());
-
+        $this->updateSession(myself()->_getAccountId(),
+                             myself()->_getSessionId());
         //$user_name = $_REQUEST['name'];
         //$avatar_url = $_REQUEST['avatar_url'];