diff --git a/packages/backend-core/src/security/sessions.js b/packages/backend-core/src/security/sessions.js
index bbe6be299d..cd0405c0c9 100644
--- a/packages/backend-core/src/security/sessions.js
+++ b/packages/backend-core/src/security/sessions.js
@@ -15,6 +15,9 @@ function makeSessionID(userId, sessionId) {
 }
 
 exports.createASession = async (userId, session) => {
+  // invalidate all other sessions
+  await this.invalidateSessions(userId)
+
   const client = await redis.getSessionClient()
   const sessionId = session.sessionId
   if (!session.csrfToken) {