diff --git a/server.py b/server.py
index e8ddd0efd36fe71f5a548241f13a43ba183d124d..a62ca2445c971fb06277703b3e8a1b252379f6f4 100644
--- a/server.py
+++ b/server.py
@@ -426,16 +426,21 @@ def logout():
 def auth(): #pylint: disable=too-many-branches
 	if 'X-Original-Uri' not in request.headers:
 		return 'Internal Server Error', 500
-	url = urllib.parse.unquote(request.headers['X-Original-Uri']).lstrip(config['VIDEOPREFIX'])
+	url_path = urllib.parse.urlparse(request.headers['X-Original-Uri']).path
+	url_path = urllib.parse.unquote(url_path)
+	url_prefix = config['VIDEOPREFIX']+'/'
+	if url_path.startswith(url_prefix):
+		url_path = url_path[len(url_prefix):]  # remove prefix followed by '/'
+	else:
+		return 'Internal Server Error', 500
 	if request.cookies.get('tracking', '') and request.cookies['tracking'].isdigit():
 		cookie = int(request.cookies['tracking'])
 	else:
 		cookie = random.getrandbits(8*8-1)
-	url_path = urllib.parse.urlparse(url).path
-	if url_path.endswith('jpg') or ismod():
+	if url_path.startswith('thumbnail/') or ismod():
 		return "OK", 200
-	if url.startswith('pub/hls/'):
-		handle = url[len('pub/hls/'):].split('_')[0].split('.')[0]
+	if url_path.startswith('pub/hls/'):
+		handle = url_path[len('pub/hls/'):].split('_')[0].split('.')[0]
 		if handle.isdigit():
 			perms = query('''SELECT lectures.id AS lecture, perm.*
 					FROM lectures
@@ -462,7 +467,7 @@ def auth(): #pylint: disable=too-many-branches
 				WHERE videos.path = ?
 				AND (courses.visible AND lectures.visible AND videos.visible)
 				ORDER BY perm.video_id DESC, perm.lecture_id DESC, perm.course_id DESC''',
-				url)
+				url_path)
 	if not perms:
 		return "Not found", 404
 	auth = request.authorization
@@ -472,12 +477,12 @@ def auth(): #pylint: disable=too-many-branches
 		password = auth.password
 	if checkperm(perms, username=username, password=password):
 		try:
-			if not url.startswith('pub/hls/'):
+			if not url_path.startswith('pub/hls/'):
 				modify('INSERT INTO log (id, `time`, `date`, video, source) VALUES (?, ?, ?, ?, 1)',
 						cookie, datetime.now(), datetime.combine(date.today(), time()), perms[0]['vid'])
-			elif url.endswith('.ts'):
-				fmt = url.split('_')[-1].split('-')[0]
-				seg = url.split('.')[0].split('-')[-1]
+			elif url_path.endswith('.ts'):
+				fmt = url_path.split('_')[-1].split('-')[0]
+				seg = url_path.split('.')[0].split('-')[-1]
 				modify('INSERT INTO hlslog (id, `time`, segment, lecture, handle, format) VALUES (?, ?, ?, ?, ?, ?)',
 						cookie, datetime.now(), seg, perms[0]['lecture'], handle, fmt)
 		except: #pylint: disable=bare-except