diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/ValidateLogin.js b/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/ValidateLogin.js
index 9499c468..13d750dd 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/ValidateLogin.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/ValidateLogin.js
@@ -75,7 +75,6 @@ wtv-encrypted: true
 wtv-ticket: ${wtvsec_login.ticket_b64}
 `;
 	}
-	console.log(ssid_sessions[socket.ssid])
 	if (limitedLoginRegistered) gourl = "wtv-head-waiter:/password?";
 	headers += `
 wtv-visit: ${gourl}`;
diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/choose-user.js b/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/choose-user.js
index e01fc57a..7ec8377c 100644
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/choose-user.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/choose-user.js
@@ -86,7 +86,19 @@ for (const [key, value] of Object.entries(accounts)) {
     if (key == "subscriber") data += `<font size=+1><b>${value['subscriber_username']}</b></font></a>`;
     else data += `<font size=+1>${value['subscriber_username']}</font>`
     data += "<td width=15><td nowrap>	<font color=42BD52>";
-    data += "<!-- do mailcheck here -->" // todo
+    var userSession = new WTVClientSessionData(minisrv_config, socket.ssid);
+    userSession.user_id = user_id;
+
+    var mailcount = 0;
+    if (userSession.mailstore.mailstoreExists()) {
+        if (userSession.mailstore.mailboxExists(0)) {
+            mailcount = userSession.mailstore.countUnreadMessages(0);
+        }
+    }
+    if (mailcount > 0) {
+        var mcnumber = (mailcount >= 100) ? "99+" : mailcount;
+        data += mcnumber + ` new message${(mcnumber != 1) ? 's' : ''}`;
+    }
     data += `</font>
 <tr>
 <td>
@@ -107,6 +119,8 @@ for (const [key, value] of Object.entries(accounts)) {
 while (accounts_listed < minisrv_config.config.user_accounts.max_users_per_account) {
     data += `<tr>
 <td>
+<td absheight=37><tr>
+<td>
 <td bgcolor=1e1e1e width=400 absheight=2 colspan=3>
 <img src="ROMCache/Spacer.gif" width=1 height=1>
 <tr>
@@ -116,11 +130,6 @@ while (accounts_listed < minisrv_config.config.user_accounts.max_users_per_accou
 <td>
 <td bgcolor=121212 width=400 absheight=2 colspan=3>
 <img src="ROMCache/Spacer.gif" width=1 height=1>`;
-    if (accounts_listed != minisrv_config.config.user_accounts.max_users_per_account - 1) {
-        data += `<tr>
-<td>
-<td absheight=37>`;
-    } 
     accounts_listed++;
 }
 
diff --git a/zefie_wtvp_minisrv/WTVClientSessionData.js b/zefie_wtvp_minisrv/WTVClientSessionData.js
index b0b1d087..44c6b619 100644
--- a/zefie_wtvp_minisrv/WTVClientSessionData.js
+++ b/zefie_wtvp_minisrv/WTVClientSessionData.js
@@ -1,6 +1,6 @@
 const { lib } = require('crypto-js');
 const CryptoJS = require('crypto-js');
-
+const WTVMail = require('./WTVMail.js')
 class WTVClientSessionData {
 
     fs = require('fs');
@@ -27,7 +27,6 @@ class WTVClientSessionData {
         if (!minisrv_config) throw ("minisrv_config required");
         var WTVShared = require('./WTVShared.js')['WTVShared'];
         var WTVMime = require('./WTVMime.js');
-        var WTVMail = require('./WTVMail.js');
         this.minisrv_config = minisrv_config;
         this.wtvshared = new WTVShared(minisrv_config);
         this.wtvmime = new WTVMime(minisrv_config);
@@ -38,7 +37,6 @@ class WTVClientSessionData {
         this.lockdownWhitelist = [
             "wtv-1800:/preregister",
             "wtv-head-waiter:/login",
-            "wtv-head-waiter:/password",
             "wtv-head-waiter:/ValidateLogin",
             "wtv-head-waiter:/login-stage-two",
             "wtv-head-waiter:/relogin",
@@ -50,16 +48,16 @@ class WTVClientSessionData {
         this.lockdownWhitelist.push(minisrv_config.config.service_logo);
 
         this.loginWhitelist = Object.assign([], this.lockdownWhitelist); // clone lockdown whitelist into login whitelist
+        this.loginWhitelist.push("wtv-head-waiter:/choose-user");
+        this.loginWhitelist.push("wtv-head-waiter:/password");
         this.mailstore = new WTVMail(minisrv_config, ssid, this);
     }
 
 
-    switchUserID(user_id) {
+    switchUserID(user_id, update_mail = true) {
         this.user_id = user_id;
-        var wtvsec_tmp = this.get("wtvsec_login");
         this.loadSessionData();
-        this.set("wtvsec_login", wtvsec_tmp);
-        wtvsec_tmp = null;
+        this.mailstore = new WTVMail(this.minisrv_config, this.ssid, this)
     }
 
     findFreeUserSlot() {
@@ -421,8 +419,11 @@ class WTVClientSessionData {
         return false;
     }
 
-    isRegistered() {
-        return (this.getSessionData("registered") && this.fs.existsSync(this.getUserStoreDirectory()));
+    isRegistered(session_mode = true) {
+        if (session_mode)
+            return (this.getSessionData("registered") && this.fs.existsSync(this.getUserStoreDirectory()));
+        else
+            return this.fs.existsSync(this.getUserStoreDirectory());
     }
 
     unregisterBox() {
@@ -650,9 +651,9 @@ class WTVClientSessionData {
     }
 
 
-    isAuthorized(url, whitelist = 'lockdown') {
+    isAuthorized(url, whitelist = 'lockdown', ignore_lockdown = false) {
         // not in lockdown so just return true
-        if (!this.lockdown) return true;
+        if (!this.lockdown && !ignore_lockdown) return true;
 
         // in lockdown, check whitelisted urls
         var self = this;
diff --git a/zefie_wtvp_minisrv/WTVMail.js b/zefie_wtvp_minisrv/WTVMail.js
index 4b54fc10..1b1ded8f 100644
--- a/zefie_wtvp_minisrv/WTVMail.js
+++ b/zefie_wtvp_minisrv/WTVMail.js
@@ -260,15 +260,16 @@ class WTVMail {
     }
 
     countMessages(mailboxid) {
-        var messages = this.listMessages(mailboxid, false);
-        return (messages.length) ? messages.length : 0;
+        var messages = this.listMessages(mailboxid, 100, false);
+        var message_count = Object.keys(messages).length;
+        return (message_count) ? message_count : 0;
     }
 
     countUnreadMessages(mailboxid) {
-        var messages = this.listMessages(mailboxid, false);
+        var messages = this.listMessages(mailboxid, 100, false);
         var unread = 0;
         Object.keys(messages).forEach(function (k) {
-            if (k.unread) unread++;
+            if (messages[k].unread) unread++;
         });
         return unread;
     }
diff --git a/zefie_wtvp_minisrv/app.js b/zefie_wtvp_minisrv/app.js
index e088ff9f..70f468a5 100644
--- a/zefie_wtvp_minisrv/app.js
+++ b/zefie_wtvp_minisrv/app.js
@@ -397,14 +397,25 @@ async function processURL(socket, request_headers) {
 
         if (!ssid_sessions[socket.ssid].isUserLoggedIn() && !ssid_sessions[socket.ssid].isAuthorized(shortURL, 'login')) {
             // lockdown mode and URL not authorized
-            headers = "300 Unauthorized\n";
-            headers += "Location: " + minisrv_config.config.unauthorized_url + "\n";
+            headers = `300 Unauthorized
+Location: " + minisrv_config.config.unauthorized_url`;
             data = "";
             sendToClient(socket, headers, data);
             console.log(" * Rejected login bypass request for " + shortURL + " on socket ID", socket.id);
             return;
         }
 
+        if (ssid_sessions[socket.ssid].isRegistered(false) && !ssid_sessions[socket.ssid].isAuthorized(shortURL, 'login', true)) {
+            if (!ssid_sessions[socket.ssid].getSessionData("subscriber_username")) {
+                headers = `300 Session Error
+Location: client:relogin`;
+                data = "";
+                sendToClient(socket, headers, data);
+                console.log(" * Session error: Asking client to relogin via socket ID", socket.id);
+                return;
+            }
+        }
+
 
         // Check URL for :/, but not :// (to differentiate wtv urls)
         if (shortURL.indexOf(':/') >= 0 && shortURL.indexOf('://') == -1) {