diff --git a/app/services/session.js b/app/services/session.js
index 016a90e..5b89b66 100644
--- a/app/services/session.js
+++ b/app/services/session.js
@@ -98,6 +98,9 @@ class SessionService extends SiteService {
           user.type = 'User';
           break;
       }
+      if (user && user.permissions && !user.permissions.canLogin) {
+        return done(null, null); // quietly destroys any login session they might have
+      }
       return done(null, user);
     } catch (error) {
       this.log.error('failed to deserialize user from session', { error });