diff --git a/lib/index.js b/lib/index.js
index 3813b1d..47dffe9 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -35,13 +35,13 @@ function authorize(options) {
 
   return function(data, accept){
     data.cookie = parseCookie(auth, data.headers.cookie || '');
-    data.sessionID = data.cookie[auth.key] || '';
+    data.sessionID = data.query.session_id || data.cookie[auth.key] || '';
     data[auth.userProperty] = {
       logged_in: false
     };
 
-    if(data.xdomain)
-      return auth.fail(data, 'Can not read cookies from CORS-Requests.', false, accept);
+    if(data.xdomain && !data.sessionID)
+      return auth.fail(data, 'Can not read cookies from CORS-Requests. See CORS-Workaround in the readme.', false, accept);
 
     auth.store.get(data.sessionID, function(err, session){
       if(err)