diff --git a/helper/Permission.js b/helper/Permission.js
index 9f835c49..3951d40f 100644
--- a/helper/Permission.js
+++ b/helper/Permission.js
@@ -40,6 +40,9 @@ module.exports.needLogin = (req, res, trueCallBack, falseCallBack) => {
 const counter = require('../core/counter');
 
 module.exports.isMaster = (wsSession, notPermssionCounter) => {
+    if (!wsSession.username || typeof wsSession.username != 'string') {
+        return false;
+    }
     let username = wsSession.username.trim() || '';
     if (username) {
         if (username.substr(0, 1) == '#') {
diff --git a/route/token.js b/route/token.js
index 639dc5b8..1392227c 100644
--- a/route/token.js
+++ b/route/token.js
@@ -4,17 +4,25 @@ const response = require('../helper/Response');
 const permssion = require('../helper/Permission');
 const VarCenter = require('../model/VarCenter');
 const counter = require('../core/counter');
+const UUID = require('uuid');
 //Token 
 
 router.get('/', function (req, res) {
     //ajax 会受到浏览器跨域限制，姑不能对其进行csrf攻击获取token，尽管它可伪造。
     if (req.xhr) {
-        var UUID = require('uuid');
         if (!req.session['token']) {
             //强化 token
             req.session['token'] = permssion.randomString(6) + UUID.v4().replace(/-/igm, "");
         }
         let username = req.session['username'] || undefined;
+        if (username == undefined || username.trim() == '') {
+            //用户未登录，返回一个随机的 token 给它，并且这个 token 与正常的 token 几乎一模一样
+            response.returnMsg(res, 'token', {
+                token: permssion.randomString(6) + UUID.v4().replace(/-/igm, ""),
+                username: username,
+            });
+            return;
+        }
         VarCenter.get('user_token')[req.session['token']] = username;
         response.returnMsg(res, 'token', {
             token: req.session['token'],