diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
index 626ddca2dadd8..90e64b3a2e515 100644
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@@ -865,6 +865,15 @@ public function loginWithCookie($uid, $currentToken, $oldSessionId) {
 		$tokens = $this->config->getUserKeys($uid, 'login_token');
 		// test cookies token against stored tokens
 		if (!in_array($currentToken, $tokens, true)) {
+			$this->logger->error('Tried to log in {uid} but could not verify token', [
+				'uid' => $uid,
+			]);
+			// The user is possibly logged in, but the token can't be verified. As
+			// a safety measure we end the session and log the user out
+			// TODO: what if two requests go through this method concurrently, wouldn't
+			//       one of them win and make the other one appear invalid do to the
+			//       same token that no longer exists in the database?
+			$this->logout();
 			return false;
 		}
 		// replace successfully used token with a new one