diff --git a/src/main/java/org/caosdb/server/grpc/AuthInterceptor.java b/src/main/java/org/caosdb/server/grpc/AuthInterceptor.java
index 5078d55d8bb8bae6e38368f9effb74b2d9d6fede..644a671947f6d7c0dff12d5ac53f2e5d130159db 100644
--- a/src/main/java/org/caosdb/server/grpc/AuthInterceptor.java
+++ b/src/main/java/org/caosdb/server/grpc/AuthInterceptor.java
@@ -50,6 +50,12 @@ public class AuthInterceptor implements ServerInterceptor {
       Pattern.compile("^\\s*" + AuthenticationUtils.SESSION_TOKEN_COOKIE + "\\s*=\\s*");
   public static final Predicate<String> SESSION_TOKEN_COOKIE_PREFIX_PREDICATE =
       SESSION_TOKEN_COOKIE_PREFIX_PATTERN.asPredicate();
+
+  public final Metadata expiredSessionMetadata() {
+    Metadata metadata = new Metadata();
+    metadata.put(CookieSetter.SET_COOKIE, CookieSetter.EXPIRED_SESSION_COOKIE);
+    return metadata;
+  }
   /**
    * A no-op listener. This class is used for failed authentications. We couldn't return a null
    * instead because the documentation of the {@link ServerInterceptor} explicitely forbids it.
@@ -107,7 +113,7 @@ public class AuthInterceptor implements ServerInterceptor {
     } else {
       status = Status.UNAUTHENTICATED.withDescription("Unsupported authentication scheme.");
     }
-    call.close(status, new Metadata());
+    call.close(status, expiredSessionMetadata());
     return new NoOpListener<ReqT>();
   }
 
@@ -130,7 +136,7 @@ public class AuthInterceptor implements ServerInterceptor {
       final Status status =
           Status.UNAUTHENTICATED.withDescription(
               "Authentication failed. SessionToken was invalid.");
-      call.close(status, new Metadata());
+      call.close(status, expiredSessionMetadata());
       return new NoOpListener<ReqT>();
     }
   }
@@ -160,7 +166,7 @@ public class AuthInterceptor implements ServerInterceptor {
       final Status status =
           Status.UNAUTHENTICATED.withDescription(
               "Authentication failed. Username or password wrong.");
-      call.close(status, new Metadata());
+      call.close(status, expiredSessionMetadata());
       return new NoOpListener<ReqT>();
     }
   }
@@ -203,7 +209,10 @@ public class AuthInterceptor implements ServerInterceptor {
 
 final class CookieSetter<ReqT, RespT>
     extends ForwardingServerCall.SimpleForwardingServerCall<ReqT, RespT> {
-  private static final Key<String> SET_COOKIE =
+  public static final String EXPIRED_SESSION_COOKIE =
+      AuthenticationUtils.SESSION_TOKEN_COOKIE
+          + "=expired; Path=/; HttpOnly; SameSite=Strict; Max-Age=0";
+  public static final Key<String> SET_COOKIE =
       Key.of("Set-Cookie", Metadata.ASCII_STRING_MARSHALLER);
 
   protected CookieSetter(ServerCall<ReqT, RespT> delegate) {
@@ -244,6 +253,8 @@ final class CookieSetter<ReqT, RespT>
                   + getSessionTimeoutSeconds());
         }
       }
+    } else {
+      headers.put(SET_COOKIE, EXPIRED_SESSION_COOKIE);
     }
   }
 }