diff --git a/webserver.js b/webserver.js
index 68356f8e..1369ec2e 100644
--- a/webserver.js
+++ b/webserver.js
@@ -2883,13 +2883,15 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
             // Send back the login application
             // If this is a 2 factor auth request, look for a hardware key challenge.
             // Normal login 2 factor request
-            const sec = parent.decryptSessionData(req.session.e);
             if (req.session && (req.session.loginmode == 4) && (sec.tuserid)) {
-                var user = obj.users[sec.tuserid];
-                if (user != null) {
-                    parent.debug('web', 'handleRootRequestEx: sending 2FA challenge.');
-                    getHardwareKeyChallenge(req, domain, user, function (hwchallenge) { handleRootRequestLogin(req, res, domain, hwchallenge, passRequirements); });
-                    return;
+                const sec = parent.decryptSessionData(req.session.e);
+                if (sec != null) {
+                    const user = obj.users[sec.tuserid];
+                    if (user != null) {
+                        parent.debug('web', 'handleRootRequestEx: sending 2FA challenge.');
+                        getHardwareKeyChallenge(req, domain, user, function (hwchallenge) { handleRootRequestLogin(req, res, domain, hwchallenge, passRequirements); });
+                        return;
+                    }
                 }
             }
             // Password recovery 2 factor request