diff --git a/packages/backend-core/src/middleware/passport/local.js b/packages/backend-core/src/middleware/passport/local.js
index f3921bea51..2149bd3e18 100644
--- a/packages/backend-core/src/middleware/passport/local.js
+++ b/packages/backend-core/src/middleware/passport/local.js
@@ -5,10 +5,7 @@ const env = require("../../environment")
 const { getGlobalUserByEmail } = require("../../utils")
 const { authError } = require("./utils")
 const { newid } = require("../../hashing")
-const {
-  createASession,
-  invalidateSessions,
-} = require("../../security/sessions")
+const { createASession } = require("../../security/sessions")
 const { getTenantId } = require("../../tenancy")
 
 const INVALID_ERR = "Invalid credentials"
@@ -56,9 +53,6 @@ exports.authenticate = async function (ctx, email, password, done) {
 
   // authenticate
   if (await compare(password, dbUser.password)) {
-    // invalidate all other sessions
-    await invalidateSessions(dbUser._id)
-
     const sessionId = newid()
     const tenantId = getTenantId()
     await createASession(dbUser._id, { sessionId, tenantId })
diff --git a/packages/backend-core/src/middleware/passport/third-party-common.js b/packages/backend-core/src/middleware/passport/third-party-common.js
index 32be3f474a..b467c0b10b 100644
--- a/packages/backend-core/src/middleware/passport/third-party-common.js
+++ b/packages/backend-core/src/middleware/passport/third-party-common.js
@@ -4,10 +4,7 @@ const { generateGlobalUserID } = require("../../db/utils")
 const { saveUser } = require("../../utils")
 const { authError } = require("./utils")
 const { newid } = require("../../hashing")
-const {
-  createASession,
-  invalidateSessions,
-} = require("../../security/sessions")
+const { createASession } = require("../../security/sessions")
 const { getGlobalUserByEmail } = require("../../utils")
 const { getGlobalDB, getTenantId } = require("../../tenancy")
 const fetch = require("node-fetch")
@@ -79,9 +76,6 @@ exports.authenticateThirdParty = async function (
   // never prompt for password reset
   dbUser.forceResetPassword = false
 
-  // invalidate all other sessions
-  await invalidateSessions(dbUser._id)
-
   // create or sync the user
   let response
   try {
diff --git a/packages/backend-core/src/security/sessions.js b/packages/backend-core/src/security/sessions.js
index bbe6be299d..cd0405c0c9 100644
--- a/packages/backend-core/src/security/sessions.js
+++ b/packages/backend-core/src/security/sessions.js
@@ -15,6 +15,9 @@ function makeSessionID(userId, sessionId) {
 }
 
 exports.createASession = async (userId, session) => {
+  // invalidate all other sessions
+  await this.invalidateSessions(userId)
+
   const client = await redis.getSessionClient()
   const sessionId = session.sessionId
   if (!session.csrfToken) {