diff --git a/lib/SimpleSAML/Session.php b/lib/SimpleSAML/Session.php
index 74390edfdd03a57702b4828602336005d498b10a..d586e5104bea037e2cad277add1afc70b3a4e929 100644
--- a/lib/SimpleSAML/Session.php
+++ b/lib/SimpleSAML/Session.php
@@ -515,8 +515,11 @@ class SimpleSAML_Session {
 		if (!isset($data['AuthnInstant'])) {
 			$data['AuthnInstant'] = time();
 		}
-		if (!isset($data['Expire'])) {
-			$data['Expire'] = time() + $globalConfig->getInteger('session.duration', 8*60*60);
+
+		$maxSessionExpire = time() + $globalConfig->getInteger('session.duration', 8*60*60);
+		if (!isset($data['Expire']) || $data['Expire'] > $maxSessionExpire) {
+			/* Unset, or beyond our session lifetime. Clamp it to our maximum session lifetime. */
+			$data['Expire'] = $maxSessionExpire;
 		}
 
 		$this->authData[$authority] = $data;