diff --git a/src/node/db/SecurityManager.js b/src/node/db/SecurityManager.js
index 45d45a722..dbc8d6f6d 100644
--- a/src/node/db/SecurityManager.js
+++ b/src/node/db/SecurityManager.js
@@ -96,7 +96,30 @@ exports.checkAccess = async function(padID, sessionCookie, token, password)
   // get information about all sessions contained in this cookie
   if (sessionCookie) {
     let groupID = padID.split("$")[0];
-    let sessionIDs = sessionCookie.split(',');
+
+    /*
+     * Sometimes, RFC 6265-compliant web servers may send back a cookie whose
+     * value is enclosed in double quotes, such as:
+     *
+     *   Set-Cookie: sessionCookie="s.37cf5299fbf981e14121fba3a588c02b,s.2b21517bf50729d8130ab85736a11346"; Version=1; Path=/; Domain=localhost; Discard
+     *
+     * Where the double quotes at the start and the end of the header value are
+     * just delimiters. This is perfectly legal: Etherpad parsing logic should
+     * cope with that, and remove the quotes early in the request phase.
+     *
+     * Somehow, this does not happen, and in such cases the actual value that
+     * sessionCookie ends up having is:
+     *
+     *     sessionCookie = '"s.37cf5299fbf981e14121fba3a588c02b,s.2b21517bf50729d8130ab85736a11346"'
+     *
+     * As quick measure, let's strip the double quotes (when present).
+     * Note that here we are being minimal, limiting ourselves to just removing
+     * quotes at the start and the end of the string.
+     *
+     * Fixes #3819.
+     * Also, see #3820.
+     */
+    let sessionIDs = sessionCookie.replace(/^"|"$/g, '').split(',');
 
     // was previously iterated in parallel using async.forEach
     try {