diff --git a/helpers.go b/helpers.go
index 28473a2..16d8def 100644
--- a/helpers.go
+++ b/helpers.go
@@ -137,15 +137,17 @@ func (t *TraefikOidc) handleExpiredToken(rw http.ResponseWriter, req *http.Reque
 func (t *TraefikOidc) handleCallback(rw http.ResponseWriter, req *http.Request) (bool, string) {
 	session, err := t.store.Get(req, cookieName)
 	if err != nil {
-		handleError(rw, "Session error", http.StatusInternalServerError, t.logger)
+		t.logger.Errorf("Session error: %v", err)
+		t.initiateAuthentication(rw, req, session, t.redirectURL)
 		return false, ""
 	}
 
 	callbackState := req.URL.Query().Get("state")
 	sessionState, ok := session.Values["csrf"].(string)
 	if !ok || callbackState != sessionState {
-		handleError(rw, "Invalid state parameter", http.StatusBadRequest, t.logger)
-		return false, "invalid-state-param"
+		t.logger.Debug("Invalid state parameter. Session might have expired.")
+		t.initiateAuthentication(rw, req, session, t.redirectURL)
+		return false, ""
 	}
 
 	code := req.URL.Query().Get("code")
diff --git a/main.go b/main.go
index a62b328..a98e549 100644
--- a/main.go
+++ b/main.go
@@ -275,12 +275,7 @@ func (t *TraefikOidc) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 
 	authenticated, needsRefresh, expired := t.isUserAuthenticated(session)
 
-	if expired {
-		t.handleExpiredToken(rw, req, session)
-		return
-	}
-
-	if !authenticated {
+	if expired || !authenticated {
 		t.initiateAuthentication(rw, req, session, t.redirectURL)
 		return
 	}
@@ -288,7 +283,7 @@ func (t *TraefikOidc) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	if needsRefresh {
 		refreshed := t.refreshToken(rw, req, session)
 		if !refreshed {
-			t.handleExpiredToken(rw, req, session)
+			t.initiateAuthentication(rw, req, session, t.redirectURL)
 			return
 		}
 	}