diff --git a/cgi/cgi_blerg.c b/cgi/cgi_blerg.c
line changes: +4/-3
index 664d6a5..b479535
--- a/cgi/cgi_blerg.c
+++ b/cgi/cgi_blerg.c

@@ -307,12 +307,12 @@ int main(int argc, char *argv[]) {
 			exit(0);
 		}
 
-		if (!auth_login(username, password)) {
+		char *token = auth_login(username, password);
+		if (token == NULL) {
 			respond_JSON_Failure();
 			exit(0);
 		}
 
-		char *token = auth_get_token(username);
 		printf("Set-Cookie: auth=%s\r\n", token);
 		free(token);
 

@@ -327,7 +327,8 @@ int main(int argc, char *argv[]) {
 		if (!check_auth(username))
 			exit(0);
 
-		auth_logout(username);
+		const char *given_token = cgi_getcookie("auth");
+		auth_logout(username, given_token);
 		respond_JSON_Success();
 	} else if (strncmp(path, "/subscribe", 10) == 0 || strncmp(path, "/unsubscribe", 12) == 0) {
 		const char *username = cgi_getentrystr("username");

diff --git a/common/auth.c b/common/auth.c
line changes: +25/-39
index 26569fd..0dbe6a4
--- a/common/auth.c
+++ b/common/auth.c

@@ -95,70 +95,56 @@ char *create_random_token() {
 	return token;
 }
 
-int auth_login(const char *username, const char *password) {
+char * auth_login(const char *username, const char *password) {
 	char filename[512];
 	int token_fd;
 
 	if (!auth_check_password(username, password))
-		return 0;
+		return NULL;
 
-	sprintf(filename, "%s/%s/token", DATA_PATH, username);
+	char *token = create_random_token();
+
+	sprintf(filename, "%s/%s/tokens", DATA_PATH, username);
+	if (access(filename, F_OK) != 0) {
+		if (mkdir(filename, 0700) == -1) {
+			perror("Could not create auth token dir");
+			return NULL;
+		}
+	}
+
+	sprintf(filename, "%s/%s/tokens/%s", DATA_PATH, username, token);
 	token_fd = open(filename, O_WRONLY | O_CREAT, 0600);
 	if (token_fd == -1) {
 		perror("Could not open token");
-		return 0;
+		return NULL;
 	}
-
-	char *token = create_random_token();
-	write(token_fd, token, TOKEN_SIZE * 2);
 	close(token_fd);
-	free(token);
 
-	return 1;
+	return token;
 }
 
-int auth_logout(const char *username) {
+int auth_logout(const char *username, const char *token) {
 	char filename[512];
 
 	if (!valid_name(username))
 		return 0;
 
-	sprintf(filename, "%s/%s/token", DATA_PATH, username);
+	sprintf(filename, "%s/%s/tokens", DATA_PATH, username);
+	if (access(filename, F_OK) != 0) {
+		return 0;
+	}
+
+	sprintf(filename, "%s/%s/tokens/%s", DATA_PATH, username, token);
 	if (unlink(filename) == -1)
 		return 0;
 
 	return 1;
 }
 
-char *auth_get_token(const char *username) {
+int auth_check_token(const char *username, const char *given_token) {
 	char filename[512];
-	char *token;
-	int token_fd;
 
-	if (!valid_name(username))
-		return 0;
+	sprintf(filename, "%s/%s/tokens/%s", DATA_PATH, username, given_token);
 
-	sprintf(filename, "%s/%s/token", DATA_PATH, username);
-	token_fd = open(filename, O_RDONLY, 0600);
-	if (token_fd == -1) {
-		perror("Could not open token");
-		return NULL;
-	}
-
-	token = malloc(TOKEN_SIZE * 2 + 1);
-	read(token_fd, token, TOKEN_SIZE * 2);
-	close(token_fd);
-
-	return token;
-}
-
-int auth_check_token(const char *username, const char *given_token) {
-	char *token = auth_get_token(username);
-	if (token != NULL && given_token != NULL) {
-		int ret = (strncmp(token, given_token, TOKEN_SIZE * 2) == 0);
-		free(token);
-		return ret;
-	} else {
-		return 0;
-	}
+	return (access(filename, F_OK) == 0);
 }

diff --git a/common/auth.h b/common/auth.h
line changes: +2/-3
index d180bfd..647bd6f
--- a/common/auth.h
+++ b/common/auth.h

@@ -7,9 +7,8 @@
 int auth_set_password(const char *, const char *);
 int auth_get_password(const char *, char *);
 int auth_check_password(const char *, const char *);
-int auth_login(const char *username, const char *password);
-int auth_logout(const char *username);
-char *auth_get_token(const char *username);
+char * auth_login(const char *username, const char *password);
+int auth_logout(const char *username, const char *token);
 int auth_check_token(const char *username, const char *given_token);
 
 #endif //_AUTH_H

diff --git a/http/http_blerg.c b/http/http_blerg.c
line changes: +4/-3
index 85a1e5b..a4226ab
--- a/http/http_blerg.c
+++ b/http/http_blerg.c

@@ -521,12 +521,12 @@ ahc_derp (void *cls, struct MHD_Connection *connection, const char *url, const c
 		if (as->username[0] == 0 || as->password[0] == 0)
 			return respond_JSON_Failure(connection);
 
-		if (!auth_login(as->username, as->password))
+		char *token = auth_login(as->username, as->password);
+		if (token == NULL)
 			return respond_JSON_Failure(connection);
 
 		response = MHD_create_response_from_data(strlen(JSON_SUCCESS), JSON_SUCCESS, MHD_NO, MHD_NO);
 
-		char *token = auth_get_token(as->username);
 		data = malloc(512);
 		snprintf(data, 512, "auth=%s", token);
 		MHD_add_response_header(response, "Set-Cookie", data);

@@ -548,7 +548,8 @@ ahc_derp (void *cls, struct MHD_Connection *connection, const char *url, const c
 
 		struct auth_state *as = (struct auth_state *) *ptr;
 
-		auth_logout(as->username);
+		const char *given_token = MHD_lookup_connection_value(connection, MHD_COOKIE_KIND, "auth");
+		auth_logout(as->username, given_token);
 		return respond_JSON_Success(connection);
 	} else if (strncmp(url, "/subscribe", 10) == 0 || strncmp(url, "/unsubscribe", 12) == 0) {
 		ret = process_and_check_auth(connection, method, upload_data, upload_data_size, ptr);