diff --git a/oauthproxy.go b/oauthproxy.go
index 1726515..c91441b 100644
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -49,6 +49,7 @@ type OauthProxy struct {
 	DisplayHtpasswdForm bool
 	serveMux            http.Handler
 	PassBasicAuth       bool
+	PassAccessToken     bool
 	AesCipher           cipher.Block
 	skipAuthRegex       []string
 	compiledRegex       []*regexp.Regexp
@@ -122,7 +123,7 @@ func NewOauthProxy(opts *Options, validator func(string) bool) *OauthProxy {
 	log.Printf("Cookie settings: secure (https):%v httponly:%v expiry:%s domain:%s", opts.CookieSecure, opts.CookieHttpOnly, opts.CookieExpire, domain)
 
 	var aes_cipher cipher.Block
-	if opts.PassAccessToken {
+	if opts.PassAccessToken || (opts.CookieRefresh != time.Duration(0)) {
 		var err error
 		aes_cipher, err = aes.NewCipher([]byte(opts.CookieSecret))
 		if err != nil {
@@ -153,6 +154,7 @@ func NewOauthProxy(opts *Options, validator func(string) bool) *OauthProxy {
 		skipAuthRegex:      opts.SkipAuthRegex,
 		compiledRegex:      opts.CompiledRegex,
 		PassBasicAuth:      opts.PassBasicAuth,
+		PassAccessToken:    opts.PassAccessToken,
 		AesCipher:          aes_cipher,
 		templates:          loadTemplates(opts.CustomTemplatesDir),
 	}
@@ -496,7 +498,7 @@ func (p *OauthProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 		req.Header["X-Forwarded-User"] = []string{user}
 		req.Header["X-Forwarded-Email"] = []string{email}
 	}
-	if access_token != "" {
+	if p.PassAccessToken {
 		req.Header["X-Forwarded-Access-Token"] = []string{access_token}
 	}
 	if email == "" {
diff --git a/oauthproxy_test.go b/oauthproxy_test.go
index 4946a43..1823896 100644
--- a/oauthproxy_test.go
+++ b/oauthproxy_test.go
@@ -407,14 +407,19 @@ func NewProcessCookieTest() *ProcessCookieTest {
 	pc_test.opts.CookieSecret = "foobar"
 	pc_test.opts.ClientID = "bazquux"
 	pc_test.opts.ClientSecret = "xyzzyplugh"
-	pc_test.opts.PassAccessToken = true
 	pc_test.opts.CookieSecret = "0123456789abcdef"
+	// First, set the CookieRefresh option so proxy.AesCipher is created,
+	// needed to encrypt the access_token.
+	pc_test.opts.CookieRefresh = time.Duration(24) * time.Hour
 	pc_test.opts.Validate()
 
 	pc_test.proxy = NewOauthProxy(pc_test.opts, func(email string) bool {
 		return true
 	})
 
+	// Now, zero-out proxy.CookieRefresh for the cases that don't involve
+	// access_token validation.
+	pc_test.proxy.CookieRefresh = time.Duration(0)
 	pc_test.rw = httptest.NewRecorder()
 	pc_test.req, _ = http.NewRequest("GET", "/", strings.NewReader(""))
 	return &pc_test