diff --git a/auth/session.go b/auth/session.go
index c7c81e4a0cf1f0bbef631822438a8c5cc1d55fb3..009cef2cc86aaad9f8053e70470c09a2838a463c 100644
--- a/auth/session.go
+++ b/auth/session.go
@@ -51,17 +51,19 @@ func GetSignedSessionTokenString(request events.APIGatewayProxyRequest, secretKe
 
 // ValidateJWTWithSessionTokens attempts to validate the JWT string by signing each session token using the secret, and
 // using the resulting signed session token to validate the JWT. If the JWT can be validated using a session token, the
-// JsonWebToken is returned, otherwise nil is returned.
-func ValidateJWTWithSessionTokens(jsonWebTokenString string, secretKey string, sessionTokens []string) *JsonWebToken {
+// JsonWebToken is returned, otherwise nil is returned. If the JWT is expired, nil is returned along with the session token.
+func ValidateJWTWithSessionTokens(jsonWebTokenString string, secretKey string, sessionTokens []string) (validJsonWebToken *JsonWebToken, expiredSessionToken *string) {
 	// Test each session token to find one that is valid
 	for _, sessionToken := range sessionTokens {
 		jsonWebToken, err := ValidateJWTWithSessionToken(jsonWebTokenString, secretKey, sessionToken)
 		if err == nil {
-			return &jsonWebToken
+			return &jsonWebToken, nil
+		} else if err.Error() == "token has expired" {
+			return nil, &sessionToken
 		}
 	}
 
-	return nil
+	return nil, nil
 }
 
 // FindAndRemoveCurrentSessionToken attempts to validate the JWT string by signing each session token using the secret,