we don't accept empty token.

server.go

@@ -167,7 +167,7 @@ func checkCookieSignatureBytoken(r *http.Request, token string) bool {
 			timestamp = c.Value
 		}
 	}
-	if signature != "" && nonce != "" && timestamp != "" {
+	if signature != "" && nonce != "" && timestamp != "" && token != "" {
 		return verifySignature(signature, timestamp, nonce, IntraAPIConfig.CRMSecrete)
 	}
 	return false