diff --git a/weed/s3api/auth_signature_v4.go b/weed/s3api/auth_signature_v4.go
index 4e7c05180..480302c52 100644
--- a/weed/s3api/auth_signature_v4.go
+++ b/weed/s3api/auth_signature_v4.go
@@ -323,6 +323,12 @@ func (iam *IdentityAccessManagement) validateSTSSessionToken(r *http.Request, se
 		return nil, nil, s3err.ErrInvalidAccessKeyID
 	}
 
+	// Check if sessionInfo or Credentials are nil
+	if sessionInfo == nil || sessionInfo.Credentials == nil {
+		glog.V(2).Infof("STS session token validation returned nil session info or credentials")
+		return nil, nil, s3err.ErrInvalidAccessKeyID
+	}
+
 	// Verify that the access key in the request matches the one in the session token
 	if sessionInfo.Credentials.AccessKeyId != accessKey {
 		glog.V(2).Infof("Access key mismatch: request has %s, session token has %s",
@@ -331,11 +337,17 @@ func (iam *IdentityAccessManagement) validateSTSSessionToken(r *http.Request, se
 	}
 
 	// Check if the session has expired
-	if time.Now().After(sessionInfo.ExpiresAt) {
+	if sessionInfo.ExpiresAt.IsZero() || time.Now().After(sessionInfo.ExpiresAt) {
 		glog.V(2).Infof("STS session has expired at %v", sessionInfo.ExpiresAt)
 		return nil, nil, s3err.ErrExpiredToken
 	}
 
+	// Validate required fields
+	if sessionInfo.Credentials.AccessKeyId == "" || sessionInfo.Credentials.SecretAccessKey == "" {
+		glog.V(2).Infof("STS session token missing required credential fields")
+		return nil, nil, s3err.ErrInvalidAccessKeyID
+	}
+
 	// Create a credential from the session info
 	cred := &Credential{
 		AccessKey:  sessionInfo.Credentials.AccessKeyId,