diff --git a/src/node/hooks/express.js b/src/node/hooks/express.js
index 807127a01..1e2fc4481 100644
--- a/src/node/hooks/express.js
+++ b/src/node/hooks/express.js
@@ -201,11 +201,11 @@ exports.restartServer = async () => {
       secure: 'auto',
     },
   });
-  app.use(exports.sessionMiddleware);
 
-  app.use(cookieParser(settings.sessionKey, {}));
   // If webaccess.preAuthorize explicitly grants access, webaccess.checkAccess will skip all checks.
   app.use(webaccess.preAuthorize);
+  app.use(exports.sessionMiddleware);
+  app.use(cookieParser(settings.sessionKey, {}));
   app.use(webaccess.checkAccess);
 
   await Promise.all([