diff --git a/selinux/cockpit.te b/selinux/cockpit.te
index ecd10817e2f5..3dae36c85a8d 100644
--- a/selinux/cockpit.te
+++ b/selinux/cockpit.te
@@ -49,9 +49,6 @@ can_exec(cockpit_ws_t,cockpit_ws_exec_t)
 # systemd can execute cockpit-session
 can_exec(init_t,cockpit_session_exec_t)
 
-# cockpit-ws can execute cockpit-session
-can_exec(cockpit_ws_t,cockpit_session_exec_t)
-
 # cockpit-ws can read from /dev/urandom
 dev_read_urand(cockpit_ws_t) # for authkey
 dev_read_rand(cockpit_ws_t)  # for libssh
diff --git a/src/systemd/cockpit-wsinstance-http.service.in b/src/systemd/cockpit-wsinstance-http.service.in
index bb6430236cc6..90c9230a1329 100644
--- a/src/systemd/cockpit-wsinstance-http.service.in
+++ b/src/systemd/cockpit-wsinstance-http.service.in
@@ -2,6 +2,8 @@
 Description=Cockpit Web Service http instance
 BindsTo=cockpit.service
 Documentation=man:cockpit-ws(8)
+Requires=cockpit-session.socket
+After=cockpit-session.socket
 
 [Service]
 ExecStart=@libexecdir@/cockpit-ws --no-tls --port=0
diff --git a/src/systemd/cockpit-wsinstance-https@.service.in b/src/systemd/cockpit-wsinstance-https@.service.in
index 7837467fb076..a304e5275bc0 100644
--- a/src/systemd/cockpit-wsinstance-https@.service.in
+++ b/src/systemd/cockpit-wsinstance-https@.service.in
@@ -2,6 +2,8 @@
 Description=Cockpit Web Service https instance %I
 BindsTo=cockpit.service
 Documentation=man:cockpit-ws(8)
+Requires=cockpit-session.socket
+After=cockpit-session.socket
 
 [Service]
 Slice=system-cockpithttps.slice
diff --git a/src/ws/cockpitauth.c b/src/ws/cockpitauth.c
index 35a4293045e9..f2bce37f1b80 100644
--- a/src/ws/cockpitauth.c
+++ b/src/ws/cockpitauth.c
@@ -50,7 +50,7 @@
 #define LOCAL_SESSION "local-session"
 
 /* Some tunables that can be set from tests */
-const gchar *cockpit_ws_session_program = LIBEXECDIR "/cockpit-session";
+const gchar *cockpit_ws_session_program = NULL;
 const gchar *cockpit_ws_ssh_program = LIBEXECDIR "/cockpit-ssh";
 
 /* Timeout of authenticated session when no connections */
@@ -1137,7 +1137,12 @@ cockpit_session_launch (CockpitAuth *self,
            g_str_equal (type, "tls-cert"))
     {
       if (command == NULL && connect_to == NULL)
-        command = cockpit_ws_session_program;
+        {
+          if (cockpit_ws_session_program)
+            command = cockpit_ws_session_program;
+          else
+            connect_to = "/run/cockpit/session";
+        }
     }
 
   g_autoptr(CockpitPipe) pipe = NULL;