diff --git a/src/mod_sso/mod_sso.cc b/src/mod_sso/mod_sso.cc
index f9f2d09ee89672eb16798f81d971620134e0e9e3..1726bf6f32ebe2e2c99364b0ee4da48a18d93062 100644
--- a/src/mod_sso/mod_sso.cc
+++ b/src/mod_sso/mod_sso.cc
@@ -396,8 +396,7 @@ static int mod_sso_method_handler (request_rec *r)
     modsso::params_t params = modsso::parse_query_string(query_string);
     string t(params["t"]);
     string d(params["d"]);
-    modsso::set_cookie(r, sso_cookie_name, modsso::base64_decode(t),
-                       service_path);
+    modsso::set_cookie(r, sso_cookie_name, t, service_path);
     string redir(modsso::url_decode(d));
     if (!is_valid_redir(redir, service)) {
       ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
@@ -513,7 +512,7 @@ static int mod_sso_authenticate_user(request_rec *r)
   mod_sso_parse_requirements(r, req_groups, req_users, &allow_any_user);
 
   // Test for valid cookie
-  string sso_cookie = get_cookie(r, sso_cookie_name);
+  string sso_cookie = modsso::base64_decode(get_cookie(r, sso_cookie_name));
   if (!sso_cookie.empty()) {
     sso::Verifier verifier(s_cfg->public_key, s_cfg->service,
                            s_cfg->domain, req_groups);
diff --git a/src/mod_sso/test/httpd_integration_test.py b/src/mod_sso/test/httpd_integration_test.py
index 826ed3cd8c0add6ca5dfe0c226edadf4d75b6121..9d979fcff012ccc46f967858c55a68ccc5501fe4 100755
--- a/src/mod_sso/test/httpd_integration_test.py
+++ b/src/mod_sso/test/httpd_integration_test.py
@@ -63,7 +63,7 @@ class HttpdIntegrationTest(unittest.TestCase):
     def testRedirectionUrls(self):
 
         def mkcookie(tkt):
-            return "SSO_test=%s" % tkt
+            return "SSO_test=%s" % base64.b64encode(tkt)
 
         # Tests have a name so that we can recognize failures.
         checks = [
@@ -154,7 +154,7 @@ class HttpdIntegrationTest(unittest.TestCase):
         self.assertEquals(302, resp.status)
         set_cookie = resp.getheader("Set-Cookie")
         self.assertTrue(set_cookie)
-        self.assertTrue(tkt in set_cookie)
+        self.assertTrue(base64.b64encode(tkt) in set_cookie)
         conn.close()
 
         # test the /sso_logout endpoint
diff --git a/src/python/sso/middleware.py b/src/python/sso/middleware.py
index 539b61f8224fdb6fc0d1fa80e17e8e916cc7b117..49b04a4e169845c8e9c8f522af364a0cceccf6f9 100644
--- a/src/python/sso/middleware.py
+++ b/src/python/sso/middleware.py
@@ -82,7 +82,7 @@ class SSOMiddleware:
         uri = environ['SCRIPT_NAME'] + environ['PATH_INFO']
         if uri == '/sso_login':
             query = cgi.parse(environ=environ, keep_blank_values=True)
-	    ticket = base64.b64decode(query['t'][0])
+	    ticket = query['t'][0]
             hdrs = [('Set-Cookie', set_cookie(self.cookie_name, ticket))]
             return redirect(query['d'][0], hdrs, environ, start_response)
         elif uri == '/sso_logout':
@@ -96,11 +96,11 @@ class SSOMiddleware:
             if self.cookie_name in cookies:
                 ticket = cookies[self.cookie_name].value
                 try:
-                    tkt = self.verifier.verify(ticket)
+                    tkt = self.verifier.verify(base64.b64decode(ticket))
                     environ['sso.ok'] = True
                     environ['REMOTE_USER'] = tkt.user()
                     return self.next_app(environ, start_response)
-                except ValueError, e:
+                except (TypeError, ValueError) as e:
                     log.error('SSO authentication failed for %s: %s', uri, e)
 
             full_url = get_full_url(environ, self.base_url)
diff --git a/src/sso_server/sso_server/application.py b/src/sso_server/sso_server/application.py
index 3e87f68f72f3d753cac022877a9636722e4f6d32..780a870d5a075a938b693ea17aa4c73dd88eab6b 100644
--- a/src/sso_server/sso_server/application.py
+++ b/src/sso_server/sso_server/application.py
@@ -1,3 +1,4 @@
+import base64
 import functools
 import json
 import logging
@@ -83,8 +84,12 @@ def login():
     # form.
     local_ticket_str = request.cookies.get(SSO_COOKIE_NAME)
     if local_ticket_str:
-        local_ticket = app.login_service.local_authorize(
-            _tostr(local_ticket_str))
+        try:
+            local_ticket = app.login_service.local_authorize(
+                _tostr(base64.b64decode(local_ticket_str)))
+        except:
+            log.warn('error decoding ticket')
+            local_ticket = None
     else:
         local_ticket = None
 
@@ -108,7 +113,8 @@ def login():
             return show_login_page(params, 'Authentication failed')
 
         # Set local auth cookie.
-        local_ticket_str = app.login_service.local_generate(username)
+        local_ticket_str = base64.b64encode(
+            app.login_service.local_generate(username))
 
     # At this point the user is authenticated, check authorization
     # and create the single sign-on ticket.
diff --git a/src/sso_server/sso_server/test/sso_server_test.py b/src/sso_server/sso_server/test/sso_server_test.py
index ebae3cd9611809706c674ba705875eea745a4b44..5e6bcf1798d2ec105db9e86b1709520eaff2c53e 100644
--- a/src/sso_server/sso_server/test/sso_server_test.py
+++ b/src/sso_server/sso_server/test/sso_server_test.py
@@ -1,3 +1,4 @@
+import base64
 import logging
 import os
 import re
@@ -55,7 +56,7 @@ class SSOServerTest(unittest.TestCase):
         shutil.rmtree(self.tmpdir)
 
     def get_local_ticket(self, user):
-        return self.app.login_service.local_generate(user)
+        return base64.b64encode(self.app.login_service.local_generate(user))
 
     def get_auth_client(self, user='user', ticketstr=None):
         if not ticketstr: