diff --git a/include/class.usersession.php b/include/class.usersession.php
index 9e7fd277baf58d59b39ade1255bd29a1308493a4..250f6c05fceb0a3be0a5755458162e74775517e5 100644
--- a/include/class.usersession.php
+++ b/include/class.usersession.php
@@ -133,6 +133,8 @@ class ClientSession extends EndUser {
     }
 
     function refreshSession($force=false){
+        global $cfg;
+
         $time = $this->session->getLastUpdate($this->token);
         // Deadband session token updates to once / 30-seconds
         if (!$force && time() - $time < 30)
@@ -140,6 +142,13 @@ class ClientSession extends EndUser {
 
         $this->token = $this->getSessionToken();
         //TODO: separate expire time from hash??
+
+        setcookie(session_name(), session_id(),
+            ($time ?: time()) + ($cfg->getClientTimeout() ?: 604800),
+            ini_get('session.cookie_path'),
+            ini_get('session.cookie_domain'),
+            ini_get('session.cookie_secure'),
+            ini_get('session.cookie_httponly'));
     }
 
     function getSession() {
@@ -177,12 +186,21 @@ class StaffSession extends Staff {
     }
 
     function refreshSession($force=false){
+        global $cfg;
+
         $time = $this->session->getLastUpdate($this->token);
         // Deadband session token updates to once / 30-seconds
         if (!$force && time() - $time < 30)
             return;
 
         $this->token=$this->getSessionToken();
+
+        setcookie(session_name(), session_id(),
+            ($time ?: time()) + ($cfg->getStaffTimeout() ?: 604800),
+            ini_get('session.cookie_path'),
+            ini_get('session.cookie_domain'),
+            ini_get('session.cookie_secure'),
+            ini_get('session.cookie_httponly'));
     }
 
     function getSession() {
diff --git a/logout.php b/logout.php
index 74d73cc377b58049f286551771ff880dfc800fab..11e0e11fbf02c45ee3666fabcd9805cd90dc1238 100644
--- a/logout.php
+++ b/logout.php
@@ -19,6 +19,11 @@ require('client.inc.php');
 if ($thisclient && $_GET['auth'] && $ost->validateLinkToken($_GET['auth']))
    $thisclient->logOut();
 
+setcookie(session_name(), 'deleted', 1,
+    ini_get('session.cookie_path'),
+    ini_get('session.cookie_domain'),
+    ini_get('session.cookie_secure'),
+    ini_get('session.cookie_httponly'));
 
 Http::redirect('index.php');
 ?>
diff --git a/scp/logout.php b/scp/logout.php
index bdc697c78beceb7b4cf3185603f45afbcf8d2838..f51d9ed8aeb4b5f37aa5af5acac39107b3a380b8 100644
--- a/scp/logout.php
+++ b/scp/logout.php
@@ -31,6 +31,12 @@ TicketLock::removeStaffLocks($thisstaff->getId());
 session_unset();
 session_destroy();
 
+setcookie(session_name(), 'deleted', 1,
+    ini_get('session.cookie_path'),
+    ini_get('session.cookie_domain'),
+    ini_get('session.cookie_secure'),
+    ini_get('session.cookie_httponly'));
+
 @header('Location: login.php');
 require('login.php');
 ?>