diff --git a/js/lobby.js b/js/lobby.js
new file mode 100644
index 00000000000..431fc0b54cc
--- /dev/null
+++ b/js/lobby.js
@@ -0,0 +1,5 @@
+$(document).ready(function(){
+	setTimeout(function() {
+		window.location.reload();
+	}, 5000);
+});
diff --git a/lib/Controller/PageController.php b/lib/Controller/PageController.php
index 29a7ab792a8..51a70a19036 100644
--- a/lib/Controller/PageController.php
+++ b/lib/Controller/PageController.php
@@ -32,6 +32,7 @@
 use OCA\Spreed\Participant;
 use OCA\Spreed\Room;
 use OCA\Spreed\TalkSession;
+use OCA\Spreed\Webinary;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\ContentSecurityPolicy;
@@ -224,13 +225,14 @@ protected function guestEnterRoom(string $token, string $password): Response {
 			]));
 		}
 
-		$this->talkSession->removePasswordForRoom($token);
 		if ($room->hasPassword()) {
-			$passwordVerification = $room->verifyPassword($password);
+			$password = $password !== '' ? $password : (string) $this->talkSession->getPasswordForRoom($token);
 
+			$passwordVerification = $room->verifyPassword($password);
 			if ($passwordVerification['result']) {
-				$this->talkSession->setPasswordForRoom($token, $token);
+				$this->talkSession->setPasswordForRoom($token, $password);
 			} else {
+				$this->talkSession->removePasswordForRoom($token);
 				if ($passwordVerification['url'] === '') {
 					return new TemplateResponse($this->appName, 'authenticate', [], 'guest');
 				}
@@ -239,6 +241,11 @@ protected function guestEnterRoom(string $token, string $password): Response {
 			}
 		}
 
+		if ($room->getLobbyState() === Webinary::MODERATORS_ONLY) {
+			$response = new TemplateResponse('spreed', 'lobby', [], 'error');
+			return $response;
+		}
+
 		$params = [
 			'token' => $token,
 			'signaling-settings' => $this->config->getSettings($this->userId),
diff --git a/lib/Controller/RoomController.php b/lib/Controller/RoomController.php
index 5a5cc2e6b5f..97ff3a61e6b 100644
--- a/lib/Controller/RoomController.php
+++ b/lib/Controller/RoomController.php
@@ -870,10 +870,11 @@ public function joinRoom(string $token, string $password = ''): DataResponse {
 
 		$user = $this->userManager->get($this->userId);
 		try {
+			$result = $room->verifyPassword((string) $this->session->getPasswordForRoom($token));
 			if ($user instanceof IUser) {
-				$newSessionId = $room->joinRoom($user, $password, $this->session->getPasswordForRoom($token) === $room->getToken());
+				$newSessionId = $room->joinRoom($user, $password, $result['result']);
 			} else {
-				$newSessionId = $room->joinRoomGuest($password, $this->session->getPasswordForRoom($token) === $room->getToken());
+				$newSessionId = $room->joinRoomGuest($password, $result['result']);
 			}
 		} catch (InvalidPasswordException $e) {
 			return new DataResponse([], Http::STATUS_FORBIDDEN);
diff --git a/lib/Controller/SignalingController.php b/lib/Controller/SignalingController.php
index 8a154158923..01f90c85340 100644
--- a/lib/Controller/SignalingController.php
+++ b/lib/Controller/SignalingController.php
@@ -32,6 +32,7 @@
 use OCA\Spreed\Room;
 use OCA\Spreed\Signaling\Messages;
 use OCA\Spreed\TalkSession;
+use OCA\Spreed\Webinary;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\OCSController;
@@ -163,11 +164,19 @@ public function pullMessages(string $token): DataResponse {
 			}
 
 			$room = $this->manager->getRoomForSession($this->userId, $sessionId);
+			$participant = $room->getParticipantBySession($sessionId);
+
+			if (!$participant->hasModeratorPermissions() &&
+				$room->getLobbyState() !== Webinary::ALL_PARTICIPANTS) {
+				throw new RoomNotFoundException('Lobby enabled');
+			}
 
 			$pingTimestamp = $this->timeFactory->getTime();
 			$room->ping($this->userId, $sessionId, $pingTimestamp);
 		} catch (RoomNotFoundException $e) {
 			return new DataResponse([['type' => 'usersInRoom', 'data' => []]], Http::STATUS_NOT_FOUND);
+		} catch (ParticipantNotFoundException $e) {
+			return new DataResponse([['type' => 'usersInRoom', 'data' => []]], Http::STATUS_NOT_FOUND);
 		}
 
 		while ($seconds > 0) {
diff --git a/lib/Middleware/InjectionMiddleware.php b/lib/Middleware/InjectionMiddleware.php
index 0abc290259d..50eef4f46db 100644
--- a/lib/Middleware/InjectionMiddleware.php
+++ b/lib/Middleware/InjectionMiddleware.php
@@ -116,37 +116,39 @@ public function beforeController($controller, $methodName): void {
 	protected function getLoggedIn(AEnvironmentAwareController $controller, bool $moderatorRequired): void {
 		$token = $this->request->getParam('token');
 		$room = $this->manager->getRoomForParticipantByToken($token, $this->userId);
+		$controller->setRoom($room);
+
 		$participant = $room->getParticipant($this->userId);
+		$controller->setParticipant($participant);
 
 		if ($moderatorRequired && !$participant->hasModeratorPermissions(false)) {
 			throw new NotAModeratorException();
 		}
 
-		$controller->setRoom($room);
-		$controller->setParticipant($participant);
 	}
 
 	/**
 	 * @param AEnvironmentAwareController $controller
 	 * @param bool $moderatorRequired
 	 * @throws NotAModeratorException
+	 * @throws ParticipantNotFoundException
 	 */
 	protected function getLoggedInOrGuest(AEnvironmentAwareController $controller, bool $moderatorRequired): void {
 		$token = $this->request->getParam('token');
 		$room = $this->manager->getRoomForParticipantByToken($token, $this->userId);
+		$controller->setRoom($room);
+
 		if ($this->userId !== null) {
 			$participant = $room->getParticipant($this->userId);
 		} else {
 			$sessionId = $this->talkSession->getSessionForRoom($token);
 			$participant = $room->getParticipantBySession($sessionId);
 		}
+		$controller->setParticipant($participant);
 
 		if ($moderatorRequired && !$participant->hasModeratorPermissions()) {
 			throw new NotAModeratorException();
 		}
-
-		$controller->setRoom($room);
-		$controller->setParticipant($participant);
 	}
 
 	/**
@@ -167,13 +169,15 @@ protected function checkReadOnlyState(AEnvironmentAwareController $controller):
 	protected function checkLobbyState(AEnvironmentAwareController $controller): void {
 		try {
 			$this->getLoggedInOrGuest($controller, true);
+			return;
 		} catch (NotAModeratorException $e) {
-			$room = $controller->getRoom();
-			if (!$room instanceof Room || $room->getLobbyState() === Webinary::ALL_PARTICIPANTS) {
-				throw new LobbyException();
-			}
+		} catch (ParticipantNotFoundException $e) {
 		}
 
+		$room = $controller->getRoom();
+		if (!$room instanceof Room || $room->getLobbyState() !== Webinary::ALL_PARTICIPANTS) {
+			throw new LobbyException();
+		}
 	}
 
 	/**
diff --git a/templates/lobby.php b/templates/lobby.php
new file mode 100644
index 00000000000..ae1ac067d1c
--- /dev/null
+++ b/templates/lobby.php
@@ -0,0 +1,7 @@
+<?php
+script('spreed', 'lobby');
+?>
+<div class="error">
+	<h2><?php p($l->t('Lobby')); ?></h2>
+	<p><?php p($l->t('Please stand by')); ?></p>
+</div>