diff --git a/kdc/fast.c b/kdc/fast.c
index 8f663b0fe..372b1f836 100644
--- a/kdc/fast.c
+++ b/kdc/fast.c
@@ -114,6 +114,12 @@ fast_parse_cookie(kdc_request_t r, const PA_DATA *pa)
     if (ret)
 	goto out;
 
+    if (r->fast.expiration < kdc_time) {
+	kdc_log(r->context, r->config, 0, "fast cookie expired");
+	ret = KRB5KDC_ERR_POLICY;
+	goto out;
+    }
+
  out:
     free_KDCFastCookie(&data);
 
@@ -131,6 +137,8 @@ fast_add_cookie(kdc_request_t r, METHOD_DATA *method_data)
 
     memset(&shell, 0, sizeof(shell));
 
+    r->fast.expiration = kdc_time + FAST_EXPIRATION_TIME;
+
     ASN1_MALLOC_ENCODE(KDCFastState, data.data, data.length, 
 		       &r->fast, &size, ret);
     if (ret)
diff --git a/kdc/kdc_locl.h b/kdc/kdc_locl.h
index 1b369db0f..9d3c73a32 100644
--- a/kdc/kdc_locl.h
+++ b/kdc/kdc_locl.h
@@ -47,6 +47,8 @@ typedef struct kdc_request_desc *kdc_request_t;
 
 #include <kdc-private.h>
 
+#define FAST_EXPIRATION_TIME (3 * 60)
+
 struct kdc_request_desc {
     krb5_context context;
     krb5_kdc_configuration *config;