diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 173f1e25..5e401697 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -40,7 +40,10 @@ class ApplicationController < ActionController::Base
     token = AuthenticationToken.find_by(shared_secret: params[:token])
     return unless token
 
-    auto_login(token.user) if token.expire_at.future?
+    if token.expire_at.future?
+      token.update(expire_at: Time.zone.now)
+      auto_login(token.user)
+    end
   end
 
   def set_sentry_context
diff --git a/spec/features/authentication_spec.rb b/spec/features/authentication_spec.rb
index 998d83fb..e28fce26 100644
--- a/spec/features/authentication_spec.rb
+++ b/spec/features/authentication_spec.rb
@@ -78,6 +78,25 @@ describe 'Authentication' do
           expect(page).to have_content(I18n.t('application.not_authorized'))
         end
       end
+
+      context 'when the authentication token is used to login' do
+        let(:token) { create(:authentication_token, user: user) }
+
+        it 'invalidates the token on login' do
+          mail.deliver_now
+          visit(rfc_link)
+          expect(token.reload.expire_at).to be_within(10.seconds).of(Time.zone.now)
+        end
+
+        it 'does not allow a second login' do
+          mail.deliver_now
+          visit(rfc_link)
+          expect(page).to have_current_path(rfc_link)
+          visit(sign_out_path)
+          visit(rfc_link)
+          expect(page).to have_current_path(root_path)
+        end
+      end
     end
   end