diff --git a/vault/core.go b/vault/core.go
index c5a04583cf..ecaf84573e 100644
--- a/vault/core.go
+++ b/vault/core.go
@@ -294,11 +294,13 @@ func (c *Core) handleLoginRequest(req *logical.Request) (*logical.Response, erro
 	// If the response generated an authentication, then generate the token
 	var auth *logical.Auth
 	if resp != nil && resp.Auth != nil {
+		auth = resp.Auth
+
 		// Generate a token
 		te := TokenEntry{
 			Path:     req.Path,
-			Policies: resp.Auth.Policies,
-			Meta:     resp.Auth.Metadata,
+			Policies: auth.Policies,
+			Meta:     auth.Metadata,
 		}
 		if err := c.tokenStore.Create(&te); err != nil {
 			c.logger.Printf("[ERR] core: failed to create token: %v", err)
@@ -308,22 +310,17 @@ func (c *Core) handleLoginRequest(req *logical.Request) (*logical.Response, erro
 		// Populate the client token
 		resp.Auth.ClientToken = te.ID
 
-		// Store the auth object for audit logging
-		auth = resp.Auth
+		// Set the default lease if non-provided, root tokens are exempt
+		if auth.Lease == 0 && !strListContains(auth.Policies, "root") {
+			auth.Lease = defaultLeaseDuration
+		}
 
-		// Register with the expiration manager if there is a lease
-		/*
-			if resp.Secret != nil && resp.Secret.Lease > 0 {
-				vaultID, err := c.expiration.RegisterLogin(te.ID, req, resp)
-				if err != nil {
-					c.logger.Printf(
-						"[ERR] core: failed to register login token lease "+
-							"(request: %#v, response: %#v): %v", req, resp, err)
-					return nil, ErrInternalError
-				}
-				resp.Secret.VaultID = vaultID
-			}
-		*/
+		// Register with the expiration manager
+		if err := c.expiration.RegisterAuth(req.Path, auth); err != nil {
+			c.logger.Printf("[ERR] core: failed to register token lease "+
+				"(request: %#v, response: %#v): %v", req, resp, err)
+			return nil, ErrInternalError
+		}
 	}
 
 	// Create an audit trail of the response
diff --git a/vault/core_test.go b/vault/core_test.go
index 59f3d07fd0..22b8b63458 100644
--- a/vault/core_test.go
+++ b/vault/core_test.go
@@ -603,10 +603,6 @@ func TestCore_HandleLogin_Token(t *testing.T) {
 	noop := &NoopBackend{
 		Login: []string{"login"},
 		Response: &logical.Response{
-			Secret: &logical.Secret{
-				Lease: time.Hour,
-			},
-
 			Auth: &logical.Auth{
 				Policies: []string{"foo", "bar"},
 				Metadata: map[string]string{
@@ -662,15 +658,10 @@ func TestCore_HandleLogin_Token(t *testing.T) {
 		t.Fatalf("Bad: %#v expect: %#v", te, expect)
 	}
 
-	// Check that we have a lease with a VaultID
-	if lresp.Secret.Lease != time.Hour {
-		t.Fatalf("bad: %#v", lresp.Secret)
+	// Check that we have a lease with default duration
+	if lresp.Auth.Lease != defaultLeaseDuration {
+		t.Fatalf("bad: %#v", lresp.Auth)
 	}
-	/*
-		if lresp.Secret.VaultID == "" {
-			t.Fatalf("bad: %#v", lresp.Secret)
-		}
-	*/
 }
 
 func TestCore_HandleRequest_AuditTrail(t *testing.T) {