diff --git a/include/class.auth.php b/include/class.auth.php
index 9619a389f0af1b32cca214132205155d915f8d6f..a106d6a4c9fa89dce87115dfa7c460b4f19a0903 100644
--- a/include/class.auth.php
+++ b/include/class.auth.php
@@ -1006,8 +1006,9 @@ class PasswordResetTokenBackend extends StaffAuthenticationBackend {
             return false;
         elseif (!($_config = new Config('pwreset')))
             return false;
-        elseif (($staff = StaffSession::lookup($_POST['userid'])) &&
-                !$staff->getId())
+
+        $staff = StaffSession::lookup($_POST['userid']);
+        if (!$staff || !$staff->getId())
             $errors['msg'] = __('Invalid user-id given');
         elseif (!($id = $_config->get($_POST['token']))
                 || $id != $staff->getId())