diff --git a/apps/logicsrc-web/contract/logicsrc-web.contract.test.ts b/apps/logicsrc-web/contract/logicsrc-web.contract.test.ts
index ad12321..897f806 100644
--- a/apps/logicsrc-web/contract/logicsrc-web.contract.test.ts
+++ b/apps/logicsrc-web/contract/logicsrc-web.contract.test.ts
@@ -376,7 +376,8 @@ describe("session signing", () => {
     process.env.LOGICSRC_SESSION_SECRET = "session_secret_for_tests";
     const token = signSession({ provider: "coinpay", sub: "merchant-123" });
     expect(verifySession(token)).toMatchObject({ provider: "coinpay", sub: "merchant-123" });
-    expect(verifySession(`${token}tampered`)).toBeNull();
+    expect(verifySession(`tampered`)).toBeNull();
+    expect(verifySession(`.extra`)).toBeNull();
   });
 });
 
diff --git a/apps/logicsrc-web/src/lib/coinpay.ts b/apps/logicsrc-web/src/lib/coinpay.ts
index aaa9fb9..0bfec17 100644
--- a/apps/logicsrc-web/src/lib/coinpay.ts
+++ b/apps/logicsrc-web/src/lib/coinpay.ts
@@ -160,7 +160,9 @@ export function signSession(payload: Record<string, unknown>): string {
 }
 
 export function verifySession(value: string): Record<string, unknown> | null {
-  const [encoded, signature] = value.split(".");
+  const parts = value.split(".");
+  if (parts.length !== 2) return null;
+  const [encoded, signature] = parts;
   if (!encoded || !signature) return null;
 
   const expected = createHmac("sha256", getSessionSecret()).update(encoded).digest("base64url");