diff --git a/main.go b/main.go
index 3d62b98..f4d65c1 100644
--- a/main.go
+++ b/main.go
@@ -189,14 +189,26 @@ const sessionTTL = 6 * time.Minute // token valid for 6 min; client refreshes ev
 
 // issueToken creates a new signed token, stores it in Redis, and returns it.
 func issueToken(username string) (string, error) {
-	ts := time.Now().Unix()
-	token := makeToken(username, ts)
-	// Store as "token:timestamp" so we can re-verify the HMAC on use
-	val := token + ":" + itoa(ts)
-	if err := rdb.Set(ctx, sessionKey(username), val, sessionTTL).Err(); err != nil {
-		return "", err
-	}
-	return token, nil
+    // Check if a valid session already exists
+    stored, err := rdb.Get(ctx, sessionKey(username)).Result()
+    if err == nil {
+        // Parse out the existing token and return it
+        parts := strings.SplitN(stored, ":", 2)
+        if len(parts) == 2 {
+            // Refresh TTL and return the existing token
+            rdb.Expire(ctx, sessionKey(username), sessionTTL)
+            return username + ":" + parts[0], nil
+        }
+    }
+
+    // No valid session — issue a new one
+    ts := time.Now().Unix()
+    token := makeToken(username, ts)
+    val := token + ":" + itoa(ts)
+    if err := rdb.Set(ctx, sessionKey(username), val, sessionTTL).Err(); err != nil {
+        return "", err
+    }
+    return username + ":" + token, nil
 }
 
 // validateToken checks the Authorization header against the stored token.