diff --git a/oauthproxy.go b/oauthproxy.go
index 12023eb6..d4208de8 100644
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -128,7 +128,7 @@ func NewOauthProxy(opts *Options, validator func(string) bool) *OauthProxy {
 		aes_cipher, err = aes.NewCipher([]byte(opts.CookieSecret))
 		if err != nil {
 			log.Fatal("error creating AES cipher with "+
-				"pass_access_token == true: %s", err)
+				"cookie-secret ", opts.CookieSecret, ": ", err)
 		}
 	}
 
diff --git a/options.go b/options.go
index e6aafac0..262e27f3 100644
--- a/options.go
+++ b/options.go
@@ -120,7 +120,7 @@ func (o *Options) Validate() error {
 	}
 	msgs = parseProviderInfo(o, msgs)
 
-	if o.PassAccessToken {
+	if o.PassAccessToken || (o.CookieRefresh != time.Duration(0)) {
 		valid_cookie_secret_size := false
 		for _, i := range []int{16, 24, 32} {
 			if len(o.CookieSecret) == i {
@@ -131,8 +131,8 @@ func (o *Options) Validate() error {
 			msgs = append(msgs, fmt.Sprintf(
 				"cookie_secret must be 16, 24, or 32 bytes "+
 					"to create an AES cipher when "+
-					"pass_access_token == true, "+
-					"but is %d bytes",
+					"pass_access_token == true or "+
+					"cookie_refresh != 0, but is %d bytes",
 				len(o.CookieSecret)))
 		}
 	}
diff --git a/options_test.go b/options_test.go
index dcb54217..55eda296 100644
--- a/options_test.go
+++ b/options_test.go
@@ -112,6 +112,10 @@ func TestPassAccessTokenRequiresSpecificCookieSecretLengths(t *testing.T) {
 	o.CookieSecret = "cookie of invalid length-"
 	assert.NotEqual(t, nil, o.Validate())
 
+	o.PassAccessToken = false
+	o.CookieRefresh = time.Duration(24) * time.Hour
+	assert.NotEqual(t, nil, o.Validate())
+
 	o.CookieSecret = "16 bytes AES-128"
 	assert.Equal(t, nil, o.Validate())