diff --git a/src/node/handler/PadMessageHandler.js b/src/node/handler/PadMessageHandler.js
index 9d0fd780..85efb008 100644
--- a/src/node/handler/PadMessageHandler.js
+++ b/src/node/handler/PadMessageHandler.js
@@ -203,17 +203,29 @@ exports.handleMessage = function(client, message)
       //check permissions
       function(callback)
       {
-        
-        // If the message has a padId we assume the client is already known to the server and needs no re-authorization
-        if(!message.padId)
-          return callback();
+        // client tried to auth for the first time (first msg from the client)
+        if(message.type == "CLIENT_READY") {
+          // Remember this information since we won't
+          // have the cookie in further socket.io messages.
+          // This information will be used to check if
+          // the sessionId of this connection is still valid
+          // since it could have been deleted by the API.
+          sessioninfos[client.id].auth =
+          {
+            sessionID: message.sessionID,
+            padID: message.padId,
+            token : message.token,
+            password: message.password
+          };
+        }
 
         // Note: message.sessionID is an entirely different kind of
-        // session from the sessions we use here! Beware! FIXME: Call
-        // our "sessions" "connections".
+        // session from the sessions we use here! Beware!
+        // FIXME: Call our "sessions" "connections".
         // FIXME: Use a hook instead
         // FIXME: Allow to override readwrite access with readonly
-        securityManager.checkAccess(message.padId, message.sessionID, message.token, message.password, function(err, statusObject)
+        var auth = sessioninfos[client.id].auth;
+        securityManager.checkAccess(auth.padID, auth.sessionID, auth.token, auth.password, function(err, statusObject)
         {
           if(ERR(err, callback)) return;
 
diff --git a/src/static/js/pad.js b/src/static/js/pad.js
index 01f1bbcb..504bc21e 100644
--- a/src/static/js/pad.js
+++ b/src/static/js/pad.js
@@ -252,14 +252,22 @@ function handshake()
   socket.on('message', function(obj)
   {
     //the access was not granted, give the user a message
-    if(!receivedClientVars && obj.accessStatus)
+    if(obj.accessStatus)
     {
-      $('.passForm').submit(require(module.id).savePassword);
+      if(!receivedClientVars)
+        $('.passForm').submit(require(module.id).savePassword);
 
       if(obj.accessStatus == "deny")
       {
         $('#loading').hide();
         $("#permissionDenied").show();
+
+        if(receivedClientVars)
+        {
+          // got kicked
+          $("#editorcontainer").hide();
+          $("#editorloadingbox").show();
+        }
       }
       else if(obj.accessStatus == "needPassword")
       {