diff --git a/server/http.go b/server/http.go
index cc299c23683548e6e0f71ebab900e77f1d385bf4..a8227fef28fd0a8c311ee7b908acad18ad741a63 100644
--- a/server/http.go
+++ b/server/http.go
@@ -122,6 +122,13 @@ func New(loginService *LoginService, authClient authclient.Client, config *Confi
 			return nil, err
 		}
 		root.Handle(h.urlFor("/favicon.ico"), siteFavicon)
+	} else if urlPrefix == "" {
+		// Block default favicon requests (created by error pages, or
+		// if we don't set a custom favicon) *before* the login
+		// handler runs, or it will invalidate the session!
+		root.HandleFunc(h.urlFor("/favicon.ico"), func(w http.ResponseWriter, r *http.Request) {
+			http.NotFound(w, r)
+		})
 	}
 
 	// Serve static content to anyone.
@@ -212,6 +219,13 @@ func (h *Server) loginCallback(ctx context.Context, username, password string, u
 // signing a token with the user's identity. The client is redirected back to
 // the original service, with the signed token.
 func (h *Server) handleGrantTicket(w http.ResponseWriter, req *http.Request) {
+	// We need this check here because this handler is usually
+	// mounted at the application root.
+	if req.URL.Path != h.urlFor("/") {
+		http.NotFound(w, req)
+		return
+	}
+
 	// Extract the authorization request parameters from the HTTP
 	// request query args.
 	//
@@ -380,15 +394,6 @@ func parseEmbeddedTemplates() *template.Template {
 	return root
 }
 
-// Template helper function that encodes its input as JSON.
-func toJSON(obj interface{}) string {
-	data, err := json.Marshal(obj)
-	if err != nil {
-		return ""
-	}
-	return string(data)
-}
-
 func sl2bl(sl []string) [][]byte {
 	var out [][]byte
 	for _, s := range sl {
@@ -424,6 +429,15 @@ func intersectGroups(a, b []string) []string {
 	return out
 }
 
+// Template helper function that encodes its input as JSON.
+func toJSON(obj interface{}) string {
+	data, err := json.Marshal(obj)
+	if err != nil {
+		return ""
+	}
+	return string(data)
+}
+
 // Return an integrity= attribute for the given URI (which should be
 // supplied without an eventual prefix).
 func sriIntegrity(uri string) template.HTML {