Don't reset the session when the token refers to an invalid user