diff --git a/src/node/hooks/express/socketio.js b/src/node/hooks/express/socketio.js
index b1e07ba91..3ceae1ddc 100644
--- a/src/node/hooks/express/socketio.js
+++ b/src/node/hooks/express/socketio.js
@@ -6,10 +6,6 @@ var webaccess = require("ep_etherpad-lite/node/hooks/express/webaccess");
 
 var padMessageHandler = require("../../handler/PadMessageHandler");
 
-var cookieParser = require('cookie-parser');
-var sessionModule = require('express-session');
-const util = require('util');
-
 exports.expressCreateServer = function (hook_name, args, cb) {
   //init socket.io and redirect all requests to the MessageHandler
   // there shouldn't be a browser that isn't compatible to all
@@ -40,24 +36,15 @@ exports.expressCreateServer = function (hook_name, args, cb) {
     cookie: false,
   });
 
-  const cookieParserFn = util.promisify(cookieParser(settings.sessionKey, {}));
-  const getSession = util.promisify(webaccess.sessionStore.get).bind(webaccess.sessionStore);
-  io.use(async (socket, next) => {
+  io.use((socket, next) => {
     const req = socket.request;
     if (!req.headers.cookie) {
       // socketio.js-client on node.js doesn't support cookies (see https://git.io/JU8u9), so the
       // token and express_sid cookies have to be passed via a query parameter for unit tests.
       req.headers.cookie = socket.handshake.query.cookie;
     }
-    await cookieParserFn(req, {});
-    const expressSid = req.signedCookies.express_sid;
-    if (expressSid) {
-      const session = await getSession(expressSid);
-      if (session) req.session = new sessionModule.Session(req, session);
-    }
-    // Note: PadMessageHandler.handleMessage calls SecurityMananger.checkAccess which will perform
-    // authentication and authorization checks.
-    return next(null, true);
+    // See: https://socket.io/docs/faq/#Usage-with-express-session
+    webaccess.sessionMiddleware(req, {}, next);
   });
 
   // var socketIOLogger = log4js.getLogger("socket.io");
diff --git a/src/node/hooks/express/webaccess.js b/src/node/hooks/express/webaccess.js
index 09e672791..843cf1478 100644
--- a/src/node/hooks/express/webaccess.js
+++ b/src/node/hooks/express/webaccess.js
@@ -219,13 +219,9 @@ exports.expressConfigure = (hook_name, args, cb) => {
     }));
   }
 
-  // Do not let express create the session, so that we can retain a reference to it for socket.io to
-  // use.
-  exports.sessionStore = new ueberStore();
-
-  args.app.use(sessionModule({
+  exports.sessionMiddleware = sessionModule({
     secret: settings.sessionKey,
-    store: exports.sessionStore,
+    store: new ueberStore(),
     resave: false,
     saveUninitialized: true,
     // Set the cookie name to a javascript identifier compatible string. Makes code handling it
@@ -256,7 +252,8 @@ exports.expressConfigure = (hook_name, args, cb) => {
        */
       secure: 'auto',
     }
-  }));
+  });
+  args.app.use(exports.sessionMiddleware);
 
   args.app.use(cookieParser(settings.sessionKey, {}));