diff --git a/lib/auth.js b/lib/auth.js
index de1384b6..44673c20 100644
--- a/lib/auth.js
+++ b/lib/auth.js
@@ -91,14 +91,24 @@ function switchSessionCookie (request) {
   return request
 }
 
-export function checkMultiAuthCookies (req, res) {
+async function checkMultiAuthCookies (req, res) {
   if (!req.cookies[MULTI_AUTH_LIST] || !req.cookies[MULTI_AUTH_POINTER]) {
     return false
   }
 
+  const pointer = req.cookies[MULTI_AUTH_POINTER]
+  if (isNaN(Number(pointer)) && pointer !== MULTI_AUTH_ANON) {
+    return false
+  }
+
   const accounts = b64Decode(req.cookies[MULTI_AUTH_LIST])
   for (const account of accounts) {
-    if (!req.cookies[MULTI_AUTH_JWT(account.id)]) {
+    const jwt = req.cookies[MULTI_AUTH_JWT(account.id)]
+    if (!jwt) return false
+
+    try {
+      await decodeJWT({ token: jwt, secret: process.env.NEXTAUTH_SECRET })
+    } catch (err) {
       return false
     }
   }
@@ -158,7 +168,7 @@ export async function multiAuthMiddleware (req, res) {
     req = new NodeNextRequest(req)
   }
 
-  const ok = checkMultiAuthCookies(req, res)
+  const ok = await checkMultiAuthCookies(req, res)
   if (!ok) {
     resetMultiAuthCookies(req, res)
     return switchSessionCookie(req)