diff --git a/oauthproxy.go b/oauthproxy.go
index b1ca922e9..db4e2e7e5 100644
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -120,11 +120,27 @@ func NewOauthProxy(opts *Options, validator func(string) bool) *OauthProxy {
 
 	log.Printf("Cookie settings: secure (https):%v httponly:%v expiry:%s domain:%s", opts.CookieSecure, opts.CookieHttpOnly, opts.CookieExpire, domain)
 
-	aes_cipher, err := aes.NewCipher([]byte(opts.CookieSecret))
-	if err != nil {
-		log.Printf("error creating AES cipher; "+
-			"pass_access_token will be set to false: %s", err)
-		opts.PassAccessToken = false
+	var aes_cipher cipher.Block
+
+	if opts.PassAccessToken == true {
+		valid_cookie_secret_size := false
+		for _, i := range []int{16, 24, 32} {
+			if len(opts.CookieSecret) == i {
+				valid_cookie_secret_size = true
+			}
+		}
+		if valid_cookie_secret_size == false {
+			log.Fatal("cookie_secret must be 16, 24, or 32 bytes " +
+				"to create an AES cipher when " +
+				"pass_access_token == true")
+		}
+
+		var err error
+		aes_cipher, err = aes.NewCipher([]byte(opts.CookieSecret))
+		if err != nil {
+			log.Fatal("error creating AES cipher with "+
+				"pass_access_token == true: %s", err)
+		}
 	}
 
 	return &OauthProxy{
@@ -419,14 +435,17 @@ func (p *OauthProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 		// set cookie, or deny
 		if p.Validator(email) {
 			log.Printf("%s authenticating %s completed", remoteAddr, email)
+			encoded_token := ""
 			if p.PassAccessToken {
-				access_token, err = encodeAccessToken(p.AesCipher, access_token)
+				encoded_token, err = encodeAccessToken(p.AesCipher, access_token)
 				if err != nil {
 					log.Printf("error encoding access token: %s", err)
 				}
 			}
-			if access_token != "" {
-				p.SetCookie(rw, req, email+"|"+access_token)
+			access_token = ""
+
+			if encoded_token != "" {
+				p.SetCookie(rw, req, email+"|"+encoded_token)
 			} else {
 				p.SetCookie(rw, req, email)
 			}