diff --git a/index.js b/index.js
index d391fbc..aed049d 100644
--- a/index.js
+++ b/index.js
@@ -202,7 +202,6 @@ function getSecret (req, sessionKey, cookie) {
   var key = cookie ? cookie.key : 'csrfSecret'
 
   if (!bag) {
-    /* istanbul ignore next: should never actually run */
     throw new Error('misconfigured csrf')
   }
 
diff --git a/test/test.js b/test/test.js
index dd77bc9..0f6a30e 100644
--- a/test/test.js
+++ b/test/test.js
@@ -364,6 +364,23 @@ describe('csurf', function () {
         .get('/')
         .expect(200, 'true', done)
     })
+
+    it('should error when secret storage missing', function (done) {
+      var app = connect()
+
+      app.use(session({ keys: ['a', 'b'] }))
+      app.use(csurf())
+      app.use(function (req, res) {
+        req.session = null
+        res.setHeader('x-run', 'true')
+        res.end(req.csrfToken())
+      })
+
+      request(app)
+        .get('/')
+        .expect('x-run', 'true')
+        .expect(500, /misconfigured csrf/, done)
+    })
   })
 
   describe('when using session storage', function () {