diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
index c953cf6cbb309..933810dabf955 100644
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@@ -460,7 +460,8 @@ public function logClientIn($user,
 			if ($isTokenPassword) {
 				$dbToken = $this->tokenProvider->getToken($password);
 				$userFromToken = $this->manager->get($dbToken->getUID());
-				$isValidEmailLogin = $userFromToken->getEMailAddress() === $user;
+				$isValidEmailLogin = $userFromToken->getEMailAddress() === $user
+					&& $this->validateTokenLoginName($userFromToken->getEMailAddress(), $dbToken);
 			} else {
 				$users = $this->manager->getByEmail($user);
 				$isValidEmailLogin = (\count($users) === 1 && $this->login($users[0]->getUID(), $password));
@@ -819,6 +820,27 @@ private function validateToken($token, $user = null) {
 		return true;
 	}
 
+	/**
+	 * Check if login names match
+	 */
+	private function validateTokenLoginName(?string $loginName, IToken $token): bool {
+		if ($token->getLoginName() !== $loginName) {
+			// TODO: this makes it impossible to use different login names on browser and client
+			// e.g. login by e-mail 'user@example.com' on browser for generating the token will not
+			//      allow to use the client token with the login name 'user'.
+			$this->logger->error('App token login name does not match', [
+				'tokenLoginName' => $token->getLoginName(),
+				'sessionLoginName' => $loginName,
+				'app' => 'core',
+				'user' => $token->getUID(),
+			]);
+
+			return false;
+		}
+
+		return true;
+	}
+
 	/**
 	 * Tries to login the user with auth token header
 	 *