diff --git a/ghost/core/core/server/services/auth/session/middleware.js b/ghost/core/core/server/services/auth/session/middleware.js
index 3eb6fe9786..daf38c9edd 100644
--- a/ghost/core/core/server/services/auth/session/middleware.js
+++ b/ghost/core/core/server/services/auth/session/middleware.js
@@ -42,7 +42,8 @@ function SessionMiddleware({sessionService}) {
     async function authenticate(req, res, next) {
         try {
             const user = await sessionService.getUserForSession(req, res);
-            if (user) {
+            const isVerified = await sessionService.isVerifiedSession(req, res);
+            if (user && isVerified) {
                 // Do not nullify `req.user` as it might have been already set
                 // in a previous middleware (authorize middleware).
                 req.user = user;
@@ -68,6 +69,7 @@ function SessionMiddleware({sessionService}) {
             const verified = await sessionService.verifyAuthCodeForUser(req, res);
 
             if (verified) {
+                await sessionService.verifySession(req, res);
                 res.sendStatus(200);
             } else {
                 res.sendStatus(401);
diff --git a/ghost/core/test/unit/server/services/auth/session/middleware.test.js b/ghost/core/test/unit/server/services/auth/session/middleware.test.js
index 7c343189f0..18d6eb38e4 100644
--- a/ghost/core/test/unit/server/services/auth/session/middleware.test.js
+++ b/ghost/core/test/unit/server/services/auth/session/middleware.test.js
@@ -204,7 +204,8 @@ describe('Session Service', function () {
 
             const middleware = SessionMiddlware({
                 sessionService: {
-                    verifyAuthCodeForUser: verifyAuthCodeForUserStub
+                    verifyAuthCodeForUser: verifyAuthCodeForUserStub,
+                    verifySession: sinon.stub().resolves(true)
                 }
             });