diff -r 006c5270128c -r 34a75bd8d0b9 src/notes/tests/api/session.py
--- a/src/notes/tests/api/session.py	Fri Jul 28 18:22:46 2017 +0200
+++ b/src/notes/tests/api/session.py	Tue Jul 25 19:11:26 2017 +0200
@@ -107,6 +107,32 @@
             self.assertEqual(session['owner'], 'test_user1')
 
 
+    def test_list_session_filter(self):
+        url = reverse('notes:session-list')
+        self.client.login(username='test_user1', password='top_secret')
+        response = self.client.get(url, {"ext_id__in": ",".join([str(self.session1.ext_id)])})
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        json = response.json()
+        self.assertIn('results', json, "must have results")
+        self.assertIn('count', json, "must have count")
+        self.assertEqual(json['count'], 1, "must have one session")
+        self.assertEqual(len(json['results']), 1, "must have one session")
+
+        for session in json['results']:
+            self.assertEqual(session['owner'], 'test_user1')
+
+
+    def test_list_session_filter_bad(self):
+        url = reverse('notes:session-list')
+        self.client.login(username='test_user1', password='top_secret')
+        response = self.client.get(url, {"ext_id__in": ",".join([str(uuid4())])})
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        json = response.json()
+        self.assertIn('results', json, "must have results")
+        self.assertIn('count', json, "must have count")
+        self.assertEqual(json['count'], 0, "must have no session")
+        self.assertEqual(len(json['results']), 0, "must have no session")
+
     def test_create_session_no_user(self):
         url = reverse('notes:session-list')
         response = self.client.post(url, {