diff --git a/clientapi/routing/register.go b/clientapi/routing/register.go
index f8fa0dad3..af8d14f13 100644
--- a/clientapi/routing/register.go
+++ b/clientapi/routing/register.go
@@ -156,6 +156,13 @@ func (d *sessionsDict) startTimer(duration time.Duration, sessionID string) {
 	})
 }
 
+func (d *sessionsDict) hasSession(sessionID string) bool {
+	d.RLock()
+	defer d.RUnlock()
+	_, ok := d.sessions[sessionID]
+	return ok
+}
+
 // addCompletedSessionStage records that a session has completed an auth stage
 // also starts a timer to delete the session once done.
 func (d *sessionsDict) addCompletedSessionStage(sessionID string, stage authtypes.LoginType) {
diff --git a/clientapi/routing/register_publickey.go b/clientapi/routing/register_publickey.go
index 258a47249..f5c972bb1 100644
--- a/clientapi/routing/register_publickey.go
+++ b/clientapi/routing/register_publickey.go
@@ -62,7 +62,7 @@ func handlePublicKeyRegistration(
 		return false, authtypes.LoginStagePublicKeyNewRegistration, nil
 	}
 
-	if _, ok := sessions.sessions[authHandler.GetSession()]; !ok {
+	if !sessions.hasSession(authHandler.GetSession()) {
 		return false, "", &util.JSONResponse{
 			Code: http.StatusUnauthorized,
 			JSON: jsonerror.Unknown("the session ID is missing or unknown."),