diff --git a/src/Server.hs b/src/Server.hs
index 72d2b8d..14a427d 100644
--- a/src/Server.hs
+++ b/src/Server.hs
@@ -152,7 +152,7 @@ loginServer = decideLogin
       | otherwise = throwError err401 { errBody = "Prompt not supported" }
       where
         responseType' = readMaybe @ResponseType responseType
-        mCreds = mCookies >>= lookup "oa2_auth_cookie" . parseCookiesText . encodeUtf8
+        mCreds = mCookies >>= lookup "oa2_auth_cookie" . parseCookiesText . encodeUtf8 >>= \c -> if c == "\"\"" then Nothing else Just c
         validOIDC :: Bool
         validOIDC = let scopes' = map (read @(Scope' user)) $ words scopes
                     in  (Left OpenID `elem` scopes') == (responseType' == Just IDToken)
@@ -160,6 +160,7 @@ loginServer = decideLogin
         handleSSO :: AuthHandler user Html
         handleSSO = do -- TODO check openid scope
           liftIO $ putStrLn "login via SSO..."
+          liftIO . putStrLn $ "creds: " ++ show mCreds
           unless (read @ResponseType responseType == IDToken) $ throwError err500 { errBody = "Unsupported response type" }
           unless (isJust mCreds) $ throwError err500 { errBody = "Missing oauth2 cookie" }
           url' <- handleCreds @user @userData (fromJust mCreds) scopes client url mState mNonce