diff --git a/server.js b/server.js
index 278eb65..12bd5af 100644
--- a/server.js
+++ b/server.js
@@ -90,18 +90,18 @@ app.post("/login", (req, res) => {
     let result = db.prepare("SELECT * FROM users WHERE username = @username AND passhash = @passhash").get({username: username, passhash: passhash});
 
     if ( result ){
-        console.log(`login ok user ${username}`);
+        console.log(`login ${username} ok`);
 
-        res.cookie('s', JSON.stringify({
+        sendAuthCookie(res,{
             i: result.id,
-            u: result.username,
+            u: req.body.username,
             d: new Date().toISOString()
-        }));
+        });   
         
         res.redirect("./");
 
     } else {
-        console.log(`login failed for user ${username}`);
+        console.log(`login ${username} failed`);
         res.redirect("/login.html#nope");
     }
 
@@ -114,21 +114,41 @@ app.use( (req, res, next) => {
     let s = req.cookies.s;
 
     if ( s ){
-        s = JSON.parse(s);
-        req.user = {
-            id: s.i,
-            name: s.u
-        }
+        try {
+            s = JSON.parse(s);
 
-        next();
+            if ( s.i && s.u ){
+                req.user = {
+                    id: s.i,
+                    name: s.u
+                }
+
+                next();
+            } else {
+                console.log(s);
+                console.error(`invalid cookie`);
+                failAuth(req,res);
+            }
+        } catch (err){
+            console.error(`error parsing cookie: `, err);
+            failAuth(req,res);
+        }
     
     } else {
-        console.log("not logged in");
-        res.redirect("/login.html"); // this means we have issues with a context path, but is needed for image redirects to work
+        // if it's an api or image request, just 401 -- otherwise redirect the browser
+        failAuth(req,res);
     }
 
 });
 
+function failAuth(req,res){
+    if ( req.originalUrl.startsWith("/api") || req.originalUrl.startsWith("/thumbnails") || req.originalUrl.startsWith("/originals") ){
+        res.status(401).send();
+    } else {
+        res.redirect("/login.html"); // this means we have issues with a context path, but is needed for image redirects to work
+    }
+}
+
 
 app.use(express.static('static'));
 app.use(express.static(IMAGE_PATH));
@@ -394,22 +414,29 @@ app.post("/create-account", (req, res) => {
 
     console.log(`  user pk = ${result.lastInsertRowid}`);
 
-    let c = {
+    sendAuthCookie(res, {
         i: result.lastInsertRowid,
         u: req.body.username,
         d: new Date().toISOString()
-    }
-
-    res.cookie('s', JSON.stringify(c));
+    });
 
     res.redirect("create-account.html");
-    
+});
+
+app.get("/logout", (req, res) => {
+    console.log(`logout user ${req.user.name}`);
+    res.cookie('s', '', {maxAge:0});
+    res.redirect("/login.html");
 });
 
 app.get("/whoami", (req, res) => {
     res.send(req.user);
 });
 
+function sendAuthCookie(res, c){
+    res.cookie('s', JSON.stringify(c), {maxAge: 315569520000}); // 10 years
+}
+
 function hashPassword(pw){
     return crypto.createHash('sha256', passwordSalt).update(pw).digest('hex');
 }
diff --git a/static/components/navbar.js b/static/components/navbar.js
index 0f80699..0d34df9 100644
--- a/static/components/navbar.js
+++ b/static/components/navbar.js
@@ -10,6 +10,10 @@ app.addSetter('navbar.refresh', () =>{
     window.location.reload();
 });
 
+app.addSetter("navbar.logout", () => {
+    window.location = "./logout";
+});
+
 app.addComponent('navbar', (store) => { return new Reef("#navbar", {
     store: store,
     template: (data) => {
@@ -71,7 +75,7 @@ app.addComponent('navbar', (store) => { return new Reef("#navbar", {
                     
                     ${refreshItem}
 
-                    <a class="navbar-item has-text-right">
+                    <a class="navbar-item has-text-right" data-onclick="navbar.logout">
                         <span>sign out</span>
                         <img alt="sign out" width="32" height="32" src="data:image/svg+xml;base64,PHN2ZyBoZWlnaHQ9JzMwMHB4JyB3aWR0aD0nMzAwcHgnICBmaWxsPSIjMDAwMDAwIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIGRhdGEtbmFtZT0iTGF5ZXIgMSIgdmlld0JveD0iMCAwIDEwMCAxMDAiIHg9IjBweCIgeT0iMHB4Ij48dGl0bGU+QXJ0Ym9hcmQgODQ8L3RpdGxlPjxnPjxwYXRoIGQ9Ik0yOCw4MkgzOFY3NEgyOGEyLDIsMCwwLDEtMi0yVjI4YTIsMiwwLDAsMSwyLTJIMzhWMThIMjhBMTAsMTAsMCwwLDAsMTgsMjhWNzJBMTAsMTAsMCwwLDAsMjgsODJaIj48L3BhdGg+PHBhdGggZD0iTTY2LDMyLjM0LDYwLjM0LDM4bDgsOEgzNHY4SDY4LjM0bC04LDhMNjYsNjcuNjYsODAuODMsNTIuODNhNCw0LDAsMCwwLDAtNS42NloiPjwvcGF0aD48L2c+PC9zdmc+" />
                     <a>