diff --git a/README.md b/README.md
index 6beda21..c63fcb5 100644
--- a/README.md
+++ b/README.md
@@ -121,9 +121,27 @@ passportSocketIo.filterSocketsByUser(io, function(user){
 });
 ```
 
+## CORS-Workaround:
+If you happen to have to work with Cross-Origin-Requests (marked by socket.io as `handshake.xdomain`) then here's a workaround:
+
+### Clientside:
+You have to provide the session-cookie. If you haven't set a name yet, do it like this: `app.use(express.session({ key: 'your.sid-key' }));`
+```javascript
+// Note: ther's no readCookie-function built in.
+// Get your own in the internetz
+socket = io.connect('//' + window.location.host, {
+  query: 'session_id=' + readCookie('your.sid-key')
+});
+```
+
+### Serverside:
+Nope, there's nothing to do on the server side. Just be sure that the cookies names match.
+
+
 ## Notes:
 * Does **NOT** support cookie-based sessions. eg: `express.cookieSession`
-* If the connection fails, check if you are requesting from a client via CORS. Check `socket.handshake.xdomain === true` as there are no cookies sent.
+* If the connection fails, check if you are requesting from a client via CORS. Check `socket.handshake.xdomain === true` as there are no cookies sent. For a workaround look at the code above.
+
 
 ## Contribute
 You are always welcome to open an issue or provide a pull-request!  
diff --git a/lib/index.js b/lib/index.js
index a6fe799..46c1b43 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -35,13 +35,13 @@ function authorize(options) {
 
   return function(data, accept){
     data.cookie = parseCookie(auth, data.headers.cookie || '');
-    data.sessionID = data.cookie[auth.key] || '';
+    data.sessionID = data.query.session_id || data.cookie[auth.key] || '';
     data[auth.userProperty] = {
       logged_in: false
     };
 
-    if(data.xdomain)
-      return auth.fail(data, 'Can not read cookies from CORS-Requests.', false, accept);
+    if(data.xdomain && !data.sessionID)
+      return auth.fail(data, 'Can not read cookies from CORS-Requests. See CORS-Workaround in the readme.', false, accept);
 
     auth.store.get(data.sessionID, function(err, session){
       if(err)