diff --git a/apps/web/src/middleware.ts b/apps/web/src/middleware.ts
index 36304080e..3d3fd7d3f 100644
--- a/apps/web/src/middleware.ts
+++ b/apps/web/src/middleware.ts
@@ -1,12 +1,13 @@
 import languages from "@rallly/languages";
 import languageParser from "accept-language-parser";
+import { unsealData } from "iron-session/edge";
 import { NextResponse } from "next/server";
 import withAuth from "next-auth/middleware";
 
 const supportedLocales = Object.keys(languages);
 
 export default withAuth(
-  function middleware(req) {
+  async function middleware(req) {
     const { headers, nextUrl } = req;
     const newUrl = nextUrl.clone();
 
@@ -49,11 +50,20 @@ export default withAuth(
      */
     const legacyToken = req.cookies.get("rallly-session");
     if (legacyToken) {
-      res.cookies.set({
-        name: "legacy-token",
-        value: legacyToken.value,
-      });
+      // delete old cookie
       res.cookies.delete("rallly-session");
+      // make sure old cookie isn't expired
+      const payload = await unsealData(legacyToken.value, {
+        password: process.env.SECRET_PASSWORD,
+      });
+      // if it's not expired, write it to a new cookie that we
+      // can read from the client
+      if (Object.keys(payload).length > 0) {
+        res.cookies.set({
+          name: "legacy-token",
+          value: legacyToken.value,
+        });
+      }
     }
 
     return res;