diff --git a/src/httpd.js.c b/src/httpd.js.c
index a3d77ae8..1fb74aea 100644
--- a/src/httpd.js.c
+++ b/src/httpd.js.c
@@ -1281,6 +1281,7 @@ static void _httpd_endpoint_login(tf_http_request_t* request)
 			{
 				if (!have_account && _is_name_valid(account_name) && password && confirm && strcmp(password, confirm) == 0 && _register_account(ssb, account_name, password))
 				{
+					tf_free((void*)send_session);
 					send_session = _make_session_jwt(ssb, account_name);
 					may_become_first_admin = true;
 				}
@@ -1295,6 +1296,7 @@ static void _httpd_endpoint_login(tf_http_request_t* request)
 				if (have_account && _is_name_valid(account_name) && new_password && confirm && strcmp(new_password, confirm) == 0 && _verify_password(password, account_passwd) &&
 					_set_account_password(context, db, account_name, new_password))
 				{
+					tf_free((void*)send_session);
 					send_session = _make_session_jwt(ssb, account_name);
 				}
 				else
@@ -1307,6 +1309,7 @@ static void _httpd_endpoint_login(tf_http_request_t* request)
 			{
 				if (have_account && *account_passwd && _verify_password(password, account_passwd))
 				{
+					tf_free((void*)send_session);
 					send_session = _make_session_jwt(ssb, account_name);
 					may_become_first_admin = true;
 				}
@@ -1318,6 +1321,7 @@ static void _httpd_endpoint_login(tf_http_request_t* request)
 		}
 		else
 		{
+			tf_free((void*)send_session);
 			send_session = _make_session_jwt(ssb, "guest");
 		}
 		tf_free(post_form_data);