diff --git a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm
index 2b2a5dead..7643c3647 100644
--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm
+++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm
@@ -499,8 +499,8 @@ sub fetchId {
           and not $class->_isHttps( $req, $vhost ) );
     my $cn = $class->tsv->{cookieName};
     my $value = $lookForHttpCookie    # Avoid prefix and bad cookie name (#2417)
-      ? ( $t =~ /(?<!-)\b${cn}http=([^,; ]+)/o ? $1 : 0 )
-      : ( $t =~ /(?<!-)\b$cn=([^,; ]+)/o       ? $1 : 0 );
+      ? ( $t =~ /(?<![-.~])\b${cn}http=([^,; ]+)/o ? $1 : 0 )
+      : ( $t =~ /(?<![-.~])\b$cn=([^,; ]+)/o       ? $1 : 0 );
 
     if ( $value && $lookForHttpCookie && $class->tsv->{securedCookie} == 3 ) {
         $value = $class->tsv->{cipher}->decryptHex( $value, "http" );
diff --git a/lemonldap-ng-handler/t/60-Lemonldap-NG-Handler-PSGI.t b/lemonldap-ng-handler/t/60-Lemonldap-NG-Handler-PSGI.t
index 675f01748..6ca14b624 100644
--- a/lemonldap-ng-handler/t/60-Lemonldap-NG-Handler-PSGI.t
+++ b/lemonldap-ng-handler/t/60-Lemonldap-NG-Handler-PSGI.t
@@ -127,14 +127,32 @@ count(3);
 
 # Bad cookie name
 ok( $res = $client->_get( '/', undef, undef, "fakelemonldap=$sessionId" ),
-    'Unauthentified query' );
-ok( $res->[0] == 302, ' Code is 302' ) or explain( $res, 302 );
+    'Bad cookie name' );
+ok( $res->[0] == 302, ' Code is 302 (name)' ) or explain( $res, 302 );
 count(2);
 
 # Bad cookie name
 ok( $res = $client->_get( '/', undef, undef, "fake-lemonldap=$sessionId" ),
-    'Unauthentified query' );
-ok( $res->[0] == 302, ' Code is 302' ) or explain( $res, 302 );
+    'Bad cookie name (-)' );
+ok( $res->[0] == 302, ' Code is 302 (-)' ) or explain( $res, 302 );
+count(2);
+
+# Bad cookie name
+ok( $res = $client->_get( '/', undef, undef, "fake.lemonldap=$sessionId" ),
+    'Bad cookie name (.)' );
+ok( $res->[0] == 302, ' Code is 302 (.)' ) or explain( $res, 302 );
+count(2);
+
+# Bad cookie name
+ok( $res = $client->_get( '/', undef, undef, "fake_lemonldap=$sessionId" ),
+    'Bad cookie name (_)' );
+ok( $res->[0] == 302, ' Code is 302 (_)' ) or explain( $res, 302 );
+count(2);
+
+# Bad cookie name
+ok( $res = $client->_get( '/', undef, undef, "fake~lemonldap=$sessionId" ),
+    'Bad cookie name (~)' );
+ok( $res->[0] == 302, ' Code is 302 (~)' ) or explain( $res, 302 );
 count(2);
 
 # Bad cookie