diff --git a/README.md b/README.md
index 3e2b237b..dd6b6a8a 100644
--- a/README.md
+++ b/README.md
@@ -918,6 +918,7 @@ semi-intentional limitations:
 
 * cleanup of expired shares only works when global option `e2d` is set, and/or at least one volume on the server has volflag `e2d`
 * only folders from the same volume are shared; if you are sharing a folder which contains other volumes, then the contents of those volumes will not be available
+* if you change [password hashing](#password-hashing) settings after creating a password-protected share, then that share will stop working
 * related to [IdP volumes being forgotten on shutdown](https://github.com/9001/copyparty/blob/hovudstraum/docs/idp.md#idp-volumes-are-forgotten-on-shutdown), any shares pointing into a user's IdP volume will be unavailable until that user makes their first request after a restart
 * no option to "delete after first access" because tricky
   * when linking something to discord (for example) it'll get accessed by their scraper and that would count as a hit
diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py
index a68e2831..82de30de 100644
--- a/copyparty/httpcli.py
+++ b/copyparty/httpcli.py
@@ -2931,7 +2931,8 @@ class HttpCli(object):
         self.parser.drop()
 
         self.log("logout " + self.uname)
-        self.asrv.forget_session(self.conn.hsrv.broker, self.uname)
+        if not self.uname.startswith("s_"):
+            self.asrv.forget_session(self.conn.hsrv.broker, self.uname)
         self.get_pwd_cookie("x")
 
         dst = self.args.SRS + "?h"
@@ -5504,6 +5505,7 @@ class HttpCli(object):
                 raise Pebkac(400, "selected file not found on disk: [%s]" % (fn,))
 
         pw = req.get("pw") or ""
+        pw = self.asrv.ah.hash(pw)
         now = int(time.time())
         sexp = req["exp"]
         exp = int(sexp) if sexp else 0