diff --git a/maloja/apis/audioscrobbler.py b/maloja/apis/audioscrobbler.py
index 6699618..350d4a3 100644
--- a/maloja/apis/audioscrobbler.py
+++ b/maloja/apis/audioscrobbler.py
@@ -28,6 +28,15 @@ class Audioscrobbler(APIHandler):
 			ScrobblingException:(500,{"error":8,"message":"Operation failed"})
 		}
 
+	# xml string escaping: https://stackoverflow.com/a/28703510
+	def xml_escape(self, str_xml: str):
+		str_xml = str_xml.replace("&", "&")
+		str_xml = str_xml.replace("<", "&lt;")
+		str_xml = str_xml.replace("<", "&lt;")
+		str_xml = str_xml.replace("\"", "&quot;")
+		str_xml = str_xml.replace("'", "&apos;")
+		return str_xml
+
 	def get_method(self,pathnodes,keys):
 		return keys.get("method")
 
@@ -50,7 +59,14 @@ class Audioscrobbler(APIHandler):
 			client = apikeystore.check_and_identify_key(password)
 			if client:
 				sessionkey = self.generate_key(client)
-				return 200,{"session":{"key":sessionkey}}
+				return 200,"""<lfm status="ok">
+  <session>
+    <name>%s</name>
+    <key>%s</key>
+    <subscriber>0</subscriber>
+  </session>
+</lfm>
+""" % (self.xml_escape(user), self.xml_escape(sessionkey))
 			else:
 				raise InvalidAuthException()
 		# or username and token (deprecated by lastfm)