diff --git a/ssl/ssl_session.cc b/ssl/ssl_session.cc
index 92b57d1728..17de1bd08f 100644
--- a/ssl/ssl_session.cc
+++ b/ssl/ssl_session.cc
@@ -667,7 +667,7 @@ static enum ssl_hs_wait_t ssl_lookup_session(
     // TODO(davidben): This should probably move it to the front of the list.
     if (session == nullptr) {
       ssl_update_counter(ssl->session_ctx.get(),
-                          ssl->session_ctx->stats.sess_miss, true);
+                         ssl->session_ctx->stats.sess_miss, true);
     }
   }
 
@@ -705,15 +705,17 @@ static enum ssl_hs_wait_t ssl_lookup_session(
   if (!ssl_session_is_time_valid(ssl, session.get())) {
     ssl_update_counter(ssl->session_ctx.get(),
                        ssl->session_ctx->stats.sess_timeout, true);
-    if(session) {
+    if (session) {
       // The session was from the cache, so remove it.
       SSL_CTX_remove_session(ssl->session_ctx.get(), session.get());
       session.reset();
     }
   }
 
-  ssl_update_counter(ssl->session_ctx.get(),
-                     ssl->session_ctx->stats.sess_hit, true);
+  if (session) {
+    ssl_update_counter(ssl->session_ctx.get(), ssl->session_ctx->stats.sess_hit,
+                       true);
+  }
   *out_session = std::move(session);
   return ssl_hs_ok;
 }
diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
index 88f656e1fb..6da94e8dd2 100644
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
@@ -8510,6 +8510,9 @@ TEST_P(SSLVersionTest, SessionMissCache) {
   // Subsequent connections will all be both timeouts and misses.
   EXPECT_EQ(SSL_CTX_sess_misses(server_ctx_.get()), kNumConnections - 1);
   EXPECT_EQ(SSL_CTX_sess_timeouts(server_ctx_.get()), kNumConnections);
+  // Check that |sess_hits| is not incorrectly incremented on either end.
+  EXPECT_EQ(SSL_CTX_sess_hits(client_ctx_.get()), 0);
+  EXPECT_EQ(SSL_CTX_sess_hits(server_ctx_.get()), 0);
 }
 
 // Callback function to force an external session cache counter update.