diff --git a/cmd/app.go b/cmd/app.go
index 89c0e69..3cb8594 100644
--- a/cmd/app.go
+++ b/cmd/app.go
@@ -27,6 +27,7 @@ import (
 	"net/http"
 	"time"
 
+	"github.com/knadh/koanf"
 	"github.com/knadh/koanf/parsers/toml"
 	"github.com/knadh/koanf/providers/confmap"
 	log "github.com/sirupsen/logrus"
@@ -61,38 +62,6 @@ func main() {
 	ctx = services.InitI18n(ctx, logger, config.Strings("i18n.languages"))
 	services.AddMessages(ctx)
 
-	sessionPath := config.MustString("session.path")
-	sessionAuthKey, err := base64.StdEncoding.DecodeString(config.String("session.auth-key"))
-	if err != nil {
-		log.Fatalf("could not decode session auth key: %s", err)
-	}
-	sessionEncKey, err := base64.StdEncoding.DecodeString(config.String("session.enc-key"))
-	if err != nil {
-		log.Fatalf("could not decode session encryption key: %s", err)
-	}
-
-	generated := false
-	if len(sessionAuthKey) != 64 {
-		sessionAuthKey = services.GenerateKey(64)
-		generated = true
-	}
-	if len(sessionEncKey) != 32 {
-		sessionEncKey = services.GenerateKey(32)
-		generated = true
-	}
-
-	if generated {
-		_ = config.Load(confmap.Provider(map[string]interface{}{
-			"session.auth-key": sessionAuthKey,
-			"session.enc-key":  sessionEncKey,
-		}, "."), nil)
-		tomlData, err := config.Marshal(toml.Parser())
-		if err != nil {
-			log.Fatalf("could not encode session config")
-		}
-		log.Infof("put the following in your resource_app.toml:\n%s", string(tomlData))
-	}
-
 	tlsClientConfig := &tls.Config{
 		MinVersion: tls.VersionTLS12,
 	}
@@ -119,6 +88,7 @@ func main() {
 		log.Fatalf("OpenID Connect discovery failed: %s", err)
 	}
 
+	sessionPath, sessionAuthKey, sessionEncKey := configureSessionParameters(config, err)
 	services.InitSessionStore(logger, sessionPath, sessionAuthKey, sessionEncKey)
 
 	authMiddleware := handlers.Authenticate(ctx, logger, oidcClientId)
@@ -173,3 +143,38 @@ func main() {
 
 	handlers.StartApplication(logger, ctx, server, config)
 }
+
+func configureSessionParameters(config *koanf.Koanf, err error) (string, []byte, []byte) {
+	sessionPath := config.MustString("session.path")
+	sessionAuthKey, err := base64.StdEncoding.DecodeString(config.String("session.auth-key"))
+	if err != nil {
+		log.Fatalf("could not decode session auth key: %s", err)
+	}
+	sessionEncKey, err := base64.StdEncoding.DecodeString(config.String("session.enc-key"))
+	if err != nil {
+		log.Fatalf("could not decode session encryption key: %s", err)
+	}
+
+	generated := false
+	if len(sessionAuthKey) != 64 {
+		sessionAuthKey = services.GenerateKey(64)
+		generated = true
+	}
+	if len(sessionEncKey) != 32 {
+		sessionEncKey = services.GenerateKey(32)
+		generated = true
+	}
+
+	if generated {
+		_ = config.Load(confmap.Provider(map[string]interface{}{
+			"session.auth-key": sessionAuthKey,
+			"session.enc-key":  sessionEncKey,
+		}, "."), nil)
+		tomlData, err := config.Marshal(toml.Parser())
+		if err != nil {
+			log.Fatalf("could not encode session config")
+		}
+		log.Infof("put the following in your resource_app.toml:\n%s", string(tomlData))
+	}
+	return sessionPath, sessionAuthKey, sessionEncKey
+}