diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index f4e0d041..d32a256a 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -22,10 +22,10 @@ class ApplicationController < ActionController::Base
   end
 
   def find_or_login_current_user
-    ExternalUser.find_by(id: session[:external_user_id]) ||
+    login_from_authentication_token ||
+      ExternalUser.find_by(id: session[:external_user_id]) ||
       login_from_session ||
       login_from_other_sources ||
-      login_from_authentication_token ||
       nil
   end
   private :find_or_login_current_user
diff --git a/spec/features/authentication_spec.rb b/spec/features/authentication_spec.rb
index 5555b269..b98b77a4 100644
--- a/spec/features/authentication_spec.rb
+++ b/spec/features/authentication_spec.rb
@@ -107,6 +107,23 @@ describe 'Authentication' do
       visit(root_path)
     end
 
+    context "with an authentication token" do
+      let(:request_for_comment) { create(:rfc_with_comment, user: user) }
+      let(:study_group) { request_for_comment.submission.study_group }
+      let(:commenting_user) { InternalUser.create(attributes_for(:teacher)) }
+      let(:mail) { UserMailer.got_new_comment(request_for_comment.comments.first, request_for_comment, commenting_user) }
+      let(:rfc_link) { request_for_comment_url(request_for_comment, token: token.shared_secret) }
+
+      it 'still invalidates the token on login' do
+        token = create(:authentication_token, user: user, study_group: study_group)
+        mail = UserMailer.got_new_comment(request_for_comment.comments.first, request_for_comment, commenting_user)
+        mail.deliver_now
+        visit(request_for_comment_url(request_for_comment, token: token.shared_secret))
+        expect(token.reload.expire_at).to be_within(10.seconds).of(Time.zone.now)
+      end
+
+    end
+
     it "displays the user's displayname" do
       expect(page).to have_content(user.displayname)
     end