diff --git a/server/common/recovery.go b/server/common/recovery.go
new file mode 100644
index 000000000..04a9fd9ef
--- /dev/null
+++ b/server/common/recovery.go
@@ -0,0 +1,20 @@
+package common
+
+import (
+	"net/http"
+)
+
+// previous cookie configuration in canary release of 2024/10 break existing cookie and
+// can introduce weird error when a user has things in cache.
+// this code will deprecate early 2025
+func RecoverFromBadCookie(res http.ResponseWriter) {
+	http.SetCookie(res, &http.Cookie{
+		Name:     "auth",
+		Value:    "",
+		MaxAge:   -1,
+		HttpOnly: true,
+		SameSite: http.SameSiteStrictMode,
+		Path:     WithBase("/api/"),
+		Secure:   false,
+	})
+}
diff --git a/server/middleware/session.go b/server/middleware/session.go
index c682ac8b8..b1f95ccab 100644
--- a/server/middleware/session.go
+++ b/server/middleware/session.go
@@ -60,6 +60,7 @@ func SessionStart(fn HandlerFunc) HandlerFunc {
 		}
 		ctx.Authorization = _extractAuthorization(req)
 		if ctx.Session, err = _extractSession(req, ctx); err != nil {
+			RecoverFromBadCookie(res)
 			SendErrorResult(res, err)
 			return
 		}
@@ -282,7 +283,7 @@ func _extractSession(req *http.Request, ctx *App) (map[string]string, error) {
 		str, err = DecryptString(SECRET_KEY_DERIVATE_FOR_USER, ctx.Share.Auth)
 		if err != nil {
 			// This typically happen when changing the secret key
-			return session, nil
+			return session, ErrInternal
 		}
 		err = json.Unmarshal([]byte(str), &session)
 		if IsDirectory(ctx.Share.Path) {
@@ -310,7 +311,7 @@ func _extractSession(req *http.Request, ctx *App) (map[string]string, error) {
 	if err != nil {
 		// This typically happen when changing the secret key
 		Log.Debug("middleware::session decrypt error '%s'", err.Error())
-		return session, nil
+		return session, ErrInternal
 	}
 	if err = json.Unmarshal([]byte(str), &session); err != nil {
 		return session, err