diff --git a/rhodecode/lib/auth.py b/rhodecode/lib/auth.py
--- a/rhodecode/lib/auth.py
+++ b/rhodecode/lib/auth.py
@@ -289,6 +289,21 @@ def get_container_username(environ, conf
     return username
 
 
+class CookieStoreWrapper(object):
+
+    def __init__(self, cookie_store):
+        self.cookie_store = cookie_store
+
+    def __repr__(self):
+        return 'CookieStore<%s>' % (self.cookie_store)
+
+    def get(self, key, other=None):
+        if isinstance(self.cookie_store, dict):
+            return self.cookie_store.get(key, other)
+        elif isinstance(self.cookie_store, AuthUser):
+            return self.cookie_store.__dict__.get(key, other)
+
+
 class  AuthUser(object):
     """
     A simple object that handles all attributes of user in RhodeCode
@@ -377,6 +392,12 @@ class  AuthUser(object):
 
     @classmethod
     def from_cookie_store(cls, cookie_store):
+        """
+        Creates AuthUser from a cookie store
+
+        :param cls:
+        :param cookie_store:
+        """
         user_id = cookie_store.get('user_id')
         username = cookie_store.get('username')
         api_key = cookie_store.get('api_key')
diff --git a/rhodecode/lib/base.py b/rhodecode/lib/base.py
--- a/rhodecode/lib/base.py
+++ b/rhodecode/lib/base.py
@@ -17,7 +17,7 @@ from rhodecode import __version__, BACKE
 
 from rhodecode.lib import str2bool, safe_unicode
 from rhodecode.lib.auth import AuthUser, get_container_username, authfunc,\
-    HasPermissionAnyMiddleware
+    HasPermissionAnyMiddleware, CookieStoreWrapper
 from rhodecode.lib.utils import get_repo_slug, invalidate_cache
 from rhodecode.model import meta
 
@@ -133,7 +133,7 @@ class BaseController(WSGIController):
         try:
             # make sure that we update permissions each time we call controller
             api_key = request.GET.get('api_key')
-            cookie_store = session.get('rhodecode_user') or {}
+            cookie_store = CookieStoreWrapper(session.get('rhodecode_user'))
             user_id = cookie_store.get('user_id', None)
             username = get_container_username(environ, config)
 
@@ -142,11 +142,9 @@ class BaseController(WSGIController):
             self.rhodecode_user = c.rhodecode_user = auth_user
             if not self.rhodecode_user.is_authenticated and \
                        self.rhodecode_user.user_id is not None:
-                self.rhodecode_user\
-                    .set_authenticated(cookie_store.get('is_authenticated'))
-
-            session['rhodecode_user'] = self.rhodecode_user.get_cookie_store()
-            session.save()
+                self.rhodecode_user.set_authenticated(
+                    cookie_store.get('is_authenticated')
+                )
             log.info('User: %s accessed %s' % (
                 auth_user, safe_unicode(environ.get('PATH_INFO')))
             )