diff --git a/CHANGELOG.md b/CHANGELOG.md
index 16e4d1e98..6f5f3ef86 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,5 +17,7 @@ Latest changes in each category go to the top
 ### Fixed
 - File formatting and errors in comments
 - Popup when voting and some voting translation fixes
+- Fixed return error when voting
 
 ### Security
+- Use `REACT_APP_RANDOMIZE_VOTE_ID === 'true'` to indicate randomizing vote ids
diff --git a/scripts/local_vars.sh b/scripts/local_vars.sh
index 287881bf3..c5282c5a7 100644
--- a/scripts/local_vars.sh
+++ b/scripts/local_vars.sh
@@ -12,7 +12,9 @@ export DB_PATH="$(pwd)/nodes/llmdb"
 # The following two variables can be set to see log output from dela:
 #export PROXY_LOG=info
 #export LLVL=info
-# If this is set, you can login without Gaspar
+# Logging in without Gaspar and SCIPER 100100
 export REACT_APP_DEV_LOGIN="true"
 # uncomment this to enable TLS to test gaspar
 #export HTTPS=true
+# Create random voter-IDs to allow easier testing
+export REACT_APP_RANDOMIZE_VOTE_ID="true"
diff --git a/web/backend/src/controllers/dela.ts b/web/backend/src/controllers/dela.ts
index 5129ccadf..616cda075 100644
--- a/web/backend/src/controllers/dela.ts
+++ b/web/backend/src/controllers/dela.ts
@@ -233,7 +233,7 @@ delaRouter.delete('/forms/:formID', (req, res) => {
 // request that needs to go the DELA nodes
 delaRouter.use('/*', (req, res) => {
   if (!req.session.userId) {
-    res.status(400).send('Unauthorized');
+    res.status(401).send('Authentication required!');
     return;
   }
 
@@ -242,24 +242,23 @@ delaRouter.use('/*', (req, res) => {
   // special case for voting
   const match = req.baseUrl.match('/api/evoting/forms/(.*)/vote');
   if (match) {
-    if (!req.session.userId) {
-      res.status(401).send('Authentication required!');
-      return;
-    }
     if (!isAuthorized(req.session.userId, match[1], PERMISSIONS.ACTIONS.VOTE)) {
       res.status(400).send('Unauthorized');
       return;
     }
 
-    // We must set the UserID to know who this ballot is associated to. This is
-    // only needed to allow users to cast multiple ballots, where only the last
-    // ballot is taken into account. To preserve anonymity, the web-backend could
-    // translate UserIDs to another random ID.
-    // bodyData.UserID = req.session.userId.toString();
-
-    // DEBUG: this is only for debugging and needs to be replaced before production
-    console.warn('DEV CODE - randomizing the SCIPER ID to allow for unlimited votes');
-    bodyData.UserID = makeid(10);
+    if (process.env.REACT_APP_RANDOMIZE_VOTE_ID === 'true') {
+      // DEBUG: this is only for debugging and needs to be replaced before production
+      console.warn('DEV CODE - randomizing the SCIPER ID to allow for unlimited votes');
+      bodyData.UserID = makeid(10);
+    } else {
+      // We must set the UserID to know who this ballot is associated to. This is
+      // only needed to allow users to cast multiple ballots, where only the last
+      // ballot is taken into account. To preserve anonymity, the web-backend could
+      // translate UserIDs to another random ID.
+
+      bodyData.UserID = req.session.userId.toString();
+    }
   }
 
   const dataStr = JSON.stringify(bodyData);