diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index e1d504215..b1359ffc2 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -51,7 +51,7 @@ class ApplicationController < ActionController::Base
     when ActionController::BadRequest
       render_error_page(400, exception)
     when SessionLoader::AuthenticationFailure
-      render_error_page(401, exception)
+      render_error_page(401, exception, template: "sessions/new")
     when ActionController::InvalidAuthenticityToken, ActionController::UnpermittedParameters, ActionController::InvalidCrossOriginRequest
       render_error_page(403, exception)
     when User::PrivilegeError
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 7146807a0..807cf2c37 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -1,6 +1,6 @@
 class SessionsController < ApplicationController
   respond_to :html, :json
-  skip_forgery_protection only: :create, if: -> { request.format.json? }
+  skip_forgery_protection only: :create, if: -> { !request.format.html? }
 
   def new
     @user = User.new
@@ -14,15 +14,8 @@ class SessionsController < ApplicationController
       url = posts_path if url.nil?
       respond_with(session_creator.user, location: url, methods: [:api_token])
     else
-      respond_with("password was incorrect", location: new_session_path) do |fmt|
-        fmt.json do
-          render json: { error: true, message: "password was incorrect"}.to_json, status: 401
-        end
-
-        fmt.html do
-          flash[:notice] = "Password was incorrect"
-        end
-      end
+      flash.now[:notice] = "Password was incorrect"
+      raise SessionLoader::AuthenticationFailure
     end
   end