diff --git a/options.go b/options.go
index 262e27f..3767546 100644
--- a/options.go
+++ b/options.go
@@ -137,6 +137,14 @@ func (o *Options) Validate() error {
 		}
 	}
 
+	if o.CookieRefresh >= o.CookieExpire {
+		msgs = append(msgs, fmt.Sprintf(
+			"cookie_refresh (%s) must be less than "+
+				"cookie_expire (%s)",
+			o.CookieRefresh.String(),
+			o.CookieExpire.String()))
+	}
+
 	if len(msgs) != 0 {
 		return fmt.Errorf("Invalid configuration:\n  %s",
 			strings.Join(msgs, "\n  "))
diff --git a/options_test.go b/options_test.go
index 55eda29..fc1233b 100644
--- a/options_test.go
+++ b/options_test.go
@@ -4,6 +4,7 @@ import (
 	"net/url"
 	"strings"
 	"testing"
+	"time"
 
 	"github.com/bmizerany/assert"
 )
@@ -125,3 +126,15 @@ func TestPassAccessTokenRequiresSpecificCookieSecretLengths(t *testing.T) {
 	o.CookieSecret = "32 byte secret for AES-256------"
 	assert.Equal(t, nil, o.Validate())
 }
+
+func TestCookieRefreshMustBeLessThanCookieExpire(t *testing.T) {
+	o := testOptions()
+	assert.Equal(t, nil, o.Validate())
+
+	o.CookieSecret = "0123456789abcdef"
+	o.CookieRefresh = o.CookieExpire
+	assert.NotEqual(t, nil, o.Validate())
+
+	o.CookieRefresh -= time.Duration(1)
+	assert.Equal(t, nil, o.Validate())
+}