diff --git a/web/includes/actions/login.php b/web/includes/actions/login.php
index 3820853b1..00c83d2b2 100644
--- a/web/includes/actions/login.php
+++ b/web/includes/actions/login.php
@@ -50,6 +50,7 @@ if ( ('login' == $action) && isset($_REQUEST['username']) && ( ZM_AUTH_TYPE == '
       if ( isset($responseData['error-codes']) && is_array($responseData['error-codes']) ) {
         if ( !in_array('invalid-input-secret', $responseData['error-codes']) ) {
           Error('reCaptcha authentication failed');
+          unset($user); // unset should be ok here because we aren't in a function
           return;
         } else {
           Error('Invalid recaptcha secret detected');
@@ -58,20 +59,12 @@ if ( ('login' == $action) && isset($_REQUEST['username']) && ( ZM_AUTH_TYPE == '
     } // end if success==false
   } // end if using reCaptcha
 
-  // coming here means we need to authenticate the user
   // if captcha existed, it was passed
 
-  $username = $_REQUEST['username'];
-  $password = $_REQUEST['password'];
-
-  $ret = validateUser($username, $password);
-  if ( !$ret[0] ) {
-    ZM\Error($ret[1]);
+  if ( ! $user ) {
     $_SESSION['loginFailed'] = true;
-    unset($user); // unset should be ok here because we aren't in a function
     return;
   }
-  $user = $ret[0];
 
   $close_session = 0;
   if ( !is_session_started() ) {
diff --git a/web/includes/auth.php b/web/includes/auth.php
index 514a87ae0..c4c58d29e 100644
--- a/web/includes/auth.php
+++ b/web/includes/auth.php
@@ -256,15 +256,31 @@ if ( ZM_OPT_USE_AUTH ) {
         # This prevent session modification to switch users
         if ( isset($_SESSION['AuthHash'.$_SESSION['remoteAddr']]) )
           $user = getAuthUser($_SESSION['AuthHash'.$_SESSION['remoteAddr']]);
+        else
+          ZM\Logger::Debug("No auth hash in session, there should have been");
+
       } else {
         # Need to refresh permissions and validate that the user still exists
         $sql = 'SELECT * FROM Users WHERE Enabled=1 AND Username=?';
         $user = dbFetchOne($sql, NULL, array($_SESSION['username']));
       }
+    } else {
+      ZM\Logger::Debug("No username in session");
     }
 
     if ( ZM_AUTH_HASH_LOGINS && empty($user) && !empty($_REQUEST['auth']) ) {
       $user = getAuthUser($_REQUEST['auth']);
+    } else if (
+      ! ( empty($_REQUEST['username']) or empty($_REQUEST['password']) or 
+      (defined('ZM_OPT_USE_GOOG_RECAPTCHA') && ZM_OPT_USE_GOOG_RECAPTCHA )
+    ) ) {
+      $ret = validateUser($_REQUEST['username'], $_REQUEST['password');
+      if ( !$ret[0] ) {
+        ZM\Error($ret[1]);
+        unset($user); // unset should be ok here because we aren't in a function
+        return;
+      }
+      $user = $ret[0];
     }
 
     if ( !empty($user) ) {
diff --git a/web/index.php b/web/index.php
index 9374e5f95..93d2c8ff3 100644
--- a/web/index.php
+++ b/web/index.php
@@ -77,7 +77,6 @@ if ( $_SERVER['REQUEST_METHOD'] == 'OPTIONS' ) {
   return;
 }
 
-
 if ( isset($_GET['skin']) ) {
   $skin = $_GET['skin'];
 } else if ( isset($_COOKIE['zmSkin']) ) {