diff --git a/web/login/index.php b/web/login/index.php
index 87aa6f1a..bf3f2c28 100644
--- a/web/login/index.php
+++ b/web/login/index.php
@@ -16,6 +16,12 @@ if (isset($_GET['logout'])) {
 
 // Login as someone else
 if (isset($_SESSION['user'])) {
+    if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+        session_destroy();
+        session_start();
+        header('Location: /login/');
+        exit();
+    }
     if ($_SESSION['user'] == 'admin' && !empty($_GET['loginas'])) {
         exec (VESTA_CMD . "v-list-user ".escapeshellarg($_GET['loginas'])." json", $output, $return_var);
         if ( $return_var == 0 ) {