diff --git a/auth.c b/auth.c
index 85acaabc..9f449f70 100644
--- a/auth.c
+++ b/auth.c
@@ -1277,7 +1277,7 @@ static int run_csd_script(struct openconnect_info *vpninfo, char *buf, int bufle
 	vpninfo->csd_waiturl = NULL;
 	vpninfo->csd_scriptname = strdup(fname);
 
-	http_add_cookie(vpninfo, "sdesktop", vpninfo->csd_token);
+	http_add_cookie(vpninfo, "sdesktop", vpninfo->csd_token, 1);
 	return 0;
 #endif /* !_WIN32 */
 }
diff --git a/http.c b/http.c
index a9634aad..e3e5898e 100644
--- a/http.c
+++ b/http.c
@@ -280,8 +280,8 @@ int buf_free(struct oc_text_buf *buf)
  * provided by their caller.
  */
 
-int http_add_cookie(struct openconnect_info *vpninfo,
-		    const char *option, const char *value)
+int http_add_cookie(struct openconnect_info *vpninfo, const char *option,
+		    const char *value, int replace)
 {
 	struct oc_vpn_option *new, **this;
 
@@ -307,6 +307,12 @@ int http_add_cookie(struct openconnect_info *vpninfo,
 	}
 	for (this = &vpninfo->cookies; *this; this = &(*this)->next) {
 		if (!strcmp(option, (*this)->option)) {
+			if (!replace) {
+				free(new->value);
+				free(new->option);
+				free(new);
+				return 0;
+			}
 			/* Replace existing cookie */
 			if (new)
 				new->next = (*this)->next;
@@ -417,7 +423,7 @@ int process_http_response(struct openconnect_info *vpninfo, int connect,
 				vpn_progress(vpninfo, PRG_ERR,
 					     _("SSL certificate authentication failed\n"));
 
-			ret = http_add_cookie(vpninfo, colon, equals);
+			ret = http_add_cookie(vpninfo, colon, equals, 1);
 			if (ret)
 				return ret;
 		} else {
diff --git a/openconnect-internal.h b/openconnect-internal.h
index 0eb06e84..6edf3a74 100644
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -806,8 +806,8 @@ int internal_parse_url(const char *url, char **res_proto, char **res_host,
 int do_https_request(struct openconnect_info *vpninfo, const char *method,
 		     const char *request_body_type, struct oc_text_buf *request_body,
 		     char **form_buf, int fetch_redirect);
-int http_add_cookie(struct openconnect_info *vpninfo,
-			   const char *option, const char *value);
+int http_add_cookie(struct openconnect_info *vpninfo, const char *option,
+		    const char *value, int replace);
 int process_http_response(struct openconnect_info *vpninfo, int connect,
 			  int (*header_cb)(struct openconnect_info *, char *, char *),
 			  struct oc_text_buf *body);