diff --git a/meshagent.js b/meshagent.js
index e8a90616..84ae2bfe 100644
--- a/meshagent.js
+++ b/meshagent.js
@@ -157,7 +157,7 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) {
 
                 // We need to check if the core is current. Figure out what core we need.
                 var corename = null;
-                if (parent.parent.meshAgentsArchitectureNumbers[obj.agentInfo.agentId] != null) {
+                if ((obj.agentInfo != null) && (parent.parent.meshAgentsArchitectureNumbers[obj.agentInfo.agentId] != null)) {
                     if ((obj.agentCoreCheck == 1001) || (obj.agentCoreUpdate == true)) {
                         // If the user asked, use the recovery core.
                         corename = parent.parent.meshAgentsArchitectureNumbers[obj.agentInfo.agentId].rcore;
@@ -1659,7 +1659,7 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) {
 
     // Update the mesh agent tab in the database
     function ChangeAgentTag(tag) {
-        if (obj.agentInfo.capabilities & 0x40) return;
+        if ((obj.agentInfo == null) || (obj.agentInfo.capabilities & 0x40)) return;
         if ((tag != null) && (tag.length == 0)) { tag = null; }
 
         // If the device is pending a change, hold.
diff --git a/meshcentral.js b/meshcentral.js
index a0a9bbbe..9ea90dcb 100644
--- a/meshcentral.js
+++ b/meshcentral.js
@@ -2621,6 +2621,7 @@ function CreateMeshCentralServer(config, args) {
 
     // Decode a cookie back into an object using a key using AES256-GCM or AES128-CBC/HMAC-SHA384. Return null if it's not a valid cookie. (key must be 32 bytes or more)
     obj.decodeCookie = function (cookie, key, timeout) {
+        if ((cookie == null) || (key == null)) return null;
         var r = obj.decodeCookieAESGCM(cookie, key, timeout);
         if (r == null) { r = obj.decodeCookieAESSHA(cookie, key, timeout); }
         if ((r == null) && (obj.args.cookieencoding == null) && (cookie.length != 64) && ((cookie == cookie.toLowerCase()) || (cookie == cookie.toUpperCase()))) {
diff --git a/mpsserver.js b/mpsserver.js
index 699b29f9..1fa55b32 100644
--- a/mpsserver.js
+++ b/mpsserver.js
@@ -615,7 +615,7 @@ module.exports.CreateMpsServer = function (parent, db, args, certificates) {
                                 return;
                             } else {
                                 // Node is not in the database, add it. Credentials will be empty until added by the user.
-                                var device = { type: 'node', mtype: 1, _id: socket.tag.nodeid, meshid: socket.tag.meshid, name: socket.tag.name, icon: (socket.tag.meiState.isBatteryPowered) ? 2 : 1, host: socket.remoteAddr, domain: mesh.domain, intelamt: { user: (typeof socket.tag.meiState.amtuser == 'string') ? socket.tag.meiState.amtuser : '', pass: (typeof socket.tag.meiState.amtpass == 'string') ? socket.tag.meiState.amtpass : '', tls: 0, state: 2 } };
+                                var device = { type: 'node', mtype: 1, _id: socket.tag.nodeid, meshid: socket.tag.meshid, name: socket.tag.name, icon: (socket.tag.meiState && socket.tag.meiState.isBatteryPowered) ? 2 : 1, host: socket.remoteAddr, domain: mesh.domain, intelamt: { user: ((socket.tag.meiState) && (typeof socket.tag.meiState.amtuser == 'string')) ? socket.tag.meiState.amtuser : '', pass: ((socket.tag.meiState) && (typeof socket.tag.meiState.amtpass == 'string')) ? socket.tag.meiState.amtpass : '', tls: 0, state: 2 } };
                                 if ((typeof socket.tag.meiState.desc == 'string') && (socket.tag.meiState.desc.length > 0) && (socket.tag.meiState.desc.length < 1024)) { device.desc = socket.tag.meiState.desc; }
                                 obj.db.Set(device);
 
diff --git a/webserver.js b/webserver.js
index dbef258a..acfbe28d 100644
--- a/webserver.js
+++ b/webserver.js
@@ -2414,9 +2414,10 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
             // Fetch the web state
             parent.debug('web', 'handleRootRequestEx: success.');
             obj.db.Get('ws' + user._id, function (err, states) {
-                var webstate = (states.length == 1) ? obj.filterUserWebState(states[0].state) : '';
+                var webstate = '';
+                if ((err == null) && (states != null) && (Array.isArray(states)) && (states.length == 1) && (states[0].state != null)) { webstate = obj.filterUserWebState(states[0].state); }
                 if ((webstate == '') && (typeof domain.defaultuserwebstate == 'object')) { webstate = JSON.stringify(domain.defaultuserwebstate); } // User has no web state, use defaults.
-                if (typeof domain.forceduserwebstate == 'object') { // Forces initial user web state is present, use it.
+                if (typeof domain.forceduserwebstate == 'object') { // Forces initial user web state if present, use it.
                     var webstate2 = {};
                     try { if (webstate != '') { webstate2 = JSON.parse(webstate); } } catch (ex) { }
                     for (var i in domain.forceduserwebstate) { webstate2[i] = domain.forceduserwebstate[i]; }