diff --git a/utils/auth-client/index.js b/utils/auth-client/index.js
index 72be0ee..3b3e256 100644
--- a/utils/auth-client/index.js
+++ b/utils/auth-client/index.js
@@ -66,7 +66,10 @@ export default class AuthenticationClient {
   }
 
   checkSession(resolve, reject) {
-    this.webAuth.checkSession({state: {returnUrl: window.location.href}}, (err, result) => {
+    const state = {returnUrl: window.location.href};
+    const nonce = new Date().getTime().toString();
+    storeStateAndNonce(state, nonce);
+    this.webAuth.checkSession({state: JSON.stringify(state), nonce: nonce}, (err, result) => {
       if (err) {
         return reject(err || 'Re-authentication failed');
       } else {
diff --git a/utils/graph-client/utils.js b/utils/graph-client/utils.js
index 57b4ea4..1683989 100644
--- a/utils/graph-client/utils.js
+++ b/utils/graph-client/utils.js
@@ -22,14 +22,7 @@ const errorLink = onError(({ graphQLErrors, networkError, operation, forward })
       }
       if (networkError) {
         if (networkError.statusCode === 401) {
-          webAuth.checkSession((response) => {
-            const oldHeaders = operation.getContext().headers;
-            operation.setContext({
-              headers: {
-                ...oldHeaders,
-                Authorization: `Bearer ${webAuth.accessToken()}`,
-              },
-            });
+          webAuth.checkSession(() => {
             return forward(operation);
           }, (err) => {
             console.log(err);