diff --git a/p11-kit/add-profile.c b/p11-kit/add-profile.c
index 2b905e9f..1404af3c 100644
--- a/p11-kit/add-profile.c
+++ b/p11-kit/add-profile.c
@@ -103,7 +103,7 @@ add_profile (const char *token_str,
 		goto cleanup;
 	}
 
-	behavior = P11_KIT_ITER_WANT_WRITABLE | P11_KIT_ITER_WITH_TOKENS | P11_KIT_ITER_WITHOUT_OBJECTS;
+	behavior = P11_KIT_ITER_WANT_WRITABLE | P11_KIT_ITER_WITH_SESSIONS | P11_KIT_ITER_WITHOUT_OBJECTS;
 	if (login) {
 		behavior |= P11_KIT_ITER_WITH_LOGIN;
 #ifdef OS_UNIX
diff --git a/p11-kit/delete-profile.c b/p11-kit/delete-profile.c
index 5984d72e..9503717f 100644
--- a/p11-kit/delete-profile.c
+++ b/p11-kit/delete-profile.c
@@ -103,7 +103,7 @@ delete_profile (const char *token_str,
 		goto cleanup;
 	}
 
-	behavior = P11_KIT_ITER_WANT_WRITABLE | P11_KIT_ITER_WITH_TOKENS | P11_KIT_ITER_WITHOUT_OBJECTS;
+	behavior = P11_KIT_ITER_WANT_WRITABLE | P11_KIT_ITER_WITH_SESSIONS | P11_KIT_ITER_WITHOUT_OBJECTS;
 	if (login) {
 		behavior |= P11_KIT_ITER_WITH_LOGIN;
 #ifdef OS_UNIX
diff --git a/p11-kit/generate-keypair.c b/p11-kit/generate-keypair.c
index 60ef622a..49dc1183 100644
--- a/p11-kit/generate-keypair.c
+++ b/p11-kit/generate-keypair.c
@@ -296,7 +296,7 @@ generate_keypair (const char *token_str,
 		goto cleanup;
 	}
 
-	behavior = P11_KIT_ITER_WANT_WRITABLE | P11_KIT_ITER_WITH_TOKENS | P11_KIT_ITER_WITHOUT_OBJECTS;
+	behavior = P11_KIT_ITER_WANT_WRITABLE | P11_KIT_ITER_WITH_SESSIONS | P11_KIT_ITER_WITHOUT_OBJECTS;
 	if (login) {
 		behavior |= P11_KIT_ITER_WITH_LOGIN;
 #ifdef OS_UNIX
diff --git a/p11-kit/iter.c b/p11-kit/iter.c
index 54d5ed8d..37b1d5bc 100644
--- a/p11-kit/iter.c
+++ b/p11-kit/iter.c
@@ -116,6 +116,7 @@ struct p11_kit_iter {
 	unsigned int with_tokens : 1;
 	unsigned int with_objects : 1;
 	unsigned int with_login : 1;
+	unsigned int with_sessions : 1;
 };
 
 /**
@@ -123,6 +124,8 @@ struct p11_kit_iter {
  * @P11_KIT_ITER_KIND_MODULE: The iterator is pointing to a module.
  * @P11_KIT_ITER_KIND_SLOT: The iterator is pointing to a slot.
  * @P11_KIT_ITER_KIND_TOKEN: The iterator is pointing to a token.
+ * @P11_KIT_ITER_KIND_SESSION: The iterator is pointing to a token with an
+ *   active session.
  * @P11_KIT_ITER_KIND_OBJECT: The iterator is pointing to an object.
  * @P11_KIT_ITER_KIND_UNKNOWN: The iterator doesn't point to anything.
  *
@@ -138,6 +141,8 @@ struct p11_kit_iter {
  * @P11_KIT_ITER_WITH_MODULES: Stop at each module while iterating.
  * @P11_KIT_ITER_WITH_SLOTS: Stop at each slot while iterating.
  * @P11_KIT_ITER_WITH_TOKENS: Stop at each token while iterating.
+ * @P11_KIT_ITER_WITH_SESSIONS: Stop at each token while iterating (after
+ *   opening a session).
  * @P11_KIT_ITER_WITHOUT_OBJECTS: Ignore objects while iterating.
  *
  * Various flags controlling the behavior of the iterator.
@@ -179,6 +184,7 @@ p11_kit_iter_new (P11KitUri *uri,
 	iter->with_modules = !!(behavior & P11_KIT_ITER_WITH_MODULES);
 	iter->with_slots = !!(behavior & P11_KIT_ITER_WITH_SLOTS);
 	iter->with_tokens = !!(behavior & P11_KIT_ITER_WITH_TOKENS);
+	iter->with_sessions = !!(behavior & P11_KIT_ITER_WITH_SESSIONS);
 	iter->with_objects = !(behavior & P11_KIT_ITER_WITHOUT_OBJECTS);
 	iter->with_login = !!(behavior & P11_KIT_ITER_WITH_LOGIN);
 
@@ -597,7 +603,7 @@ move_next_session (P11KitIter *iter)
 			COROUTINE_RETURN (move_next_session, 1, CKR_OK);
 		}
 
-		if (iter->with_slots || iter->with_tokens || iter->with_objects) {
+		if (iter->with_slots || iter->with_tokens || iter->with_sessions || iter->with_objects) {
 			CK_SLOT_ID *slots;
 
 			rv = (iter->module->C_GetSlotList) (CK_TRUE, NULL, &num_slots);
@@ -618,7 +624,8 @@ move_next_session (P11KitIter *iter)
 	}
 
 	/* Move to the next slot, and open a session on it */
-	while ((iter->with_slots || iter->with_tokens || iter->with_objects) &&
+	while ((iter->with_slots || iter->with_tokens || iter->with_sessions ||
+		iter->with_objects) &&
 	       iter->saw_slots < iter->num_slots) {
 		iter->slot = iter->slots[iter->saw_slots++];
 
@@ -636,6 +643,11 @@ move_next_session (P11KitIter *iter)
 		if (rv != CKR_OK || !p11_match_uri_token_info (&iter->match_token, &iter->token_info))
 			continue;
 
+		if (iter->with_tokens) {
+			iter->kind = P11_KIT_ITER_KIND_TOKEN;
+			COROUTINE_RETURN (move_next_session, 3, CKR_OK);
+		}
+
 		session_flags = CKF_SERIAL_SESSION;
 
 		/* Skip if the read/write on a read-only token */
@@ -664,11 +676,10 @@ move_next_session (P11KitIter *iter)
 					return finish_iterating (iter, rv);
 			}
 
-		}
-
-		if (iter->with_tokens) {
-			iter->kind = P11_KIT_ITER_KIND_TOKEN;
-			COROUTINE_RETURN (move_next_session, 3, CKR_OK);
+			if (iter->with_sessions) {
+				iter->kind = P11_KIT_ITER_KIND_SESSION;
+				COROUTINE_RETURN (move_next_session, 4, CKR_OK);
+			}
 		}
 
 		iter->move_next_session_state = 0;
@@ -717,7 +728,8 @@ p11_kit_iter_next (P11KitIter *iter)
 	if (iter->match_nothing)
 		return finish_iterating (iter, CKR_CANCEL);
 
-	if (!(iter->with_modules || iter->with_slots || iter->with_tokens || iter->with_objects))
+	if (!(iter->with_modules || iter->with_slots || iter->with_tokens ||
+	      iter->with_sessions || iter->with_objects))
 		return finish_iterating (iter, CKR_CANCEL);
 
 	/*
@@ -742,7 +754,8 @@ p11_kit_iter_next (P11KitIter *iter)
 	 * objects, or we are looking for modules/slots/tokens */
 	if ((iter->with_objects && iter->searched) ||
 	    (!iter->with_objects &&
-	     (iter->with_modules || iter->with_slots || iter->with_tokens))) {
+	     (iter->with_modules || iter->with_slots || iter->with_tokens ||
+	      iter->with_sessions))) {
 		/* Use iter->kind as the sentinel to detect the case where
 		 * any match (except object) is successful in
 		 * move_next_session() */
diff --git a/p11-kit/iter.h b/p11-kit/iter.h
index fee5ed9a..dcbe981d 100644
--- a/p11-kit/iter.h
+++ b/p11-kit/iter.h
@@ -63,6 +63,7 @@ typedef enum {
 	P11_KIT_ITER_KIND_SLOT,
 	P11_KIT_ITER_KIND_TOKEN,
 	P11_KIT_ITER_KIND_OBJECT,
+	P11_KIT_ITER_KIND_SESSION,
 	P11_KIT_ITER_KIND_UNKNOWN = -1,
 } P11KitIterKind;
 
@@ -74,6 +75,7 @@ typedef enum {
 	P11_KIT_ITER_WITH_TOKENS = 1 << 5,
 	P11_KIT_ITER_WITHOUT_OBJECTS = 1 << 6,
 	P11_KIT_ITER_WITH_LOGIN = 1 << 7,
+	P11_KIT_ITER_WITH_SESSIONS = 1 << 8,
 } P11KitIterBehavior;
 
 typedef CK_RV      (* p11_kit_iter_callback)                (P11KitIter *iter,
diff --git a/p11-kit/list-profiles.c b/p11-kit/list-profiles.c
index 8f1314d1..253a6ded 100644
--- a/p11-kit/list-profiles.c
+++ b/p11-kit/list-profiles.c
@@ -100,7 +100,7 @@ list_profiles (const char *token_str,
 		goto cleanup;
 	}
 
-	behavior = P11_KIT_ITER_WITH_TOKENS | P11_KIT_ITER_WITHOUT_OBJECTS;
+	behavior = P11_KIT_ITER_WITH_SESSIONS | P11_KIT_ITER_WITHOUT_OBJECTS;
 	if (login) {
 		behavior |= P11_KIT_ITER_WITH_LOGIN;
 #ifdef OS_UNIX