diff --git a/src/routes/+page.server.ts b/src/routes/+page.server.ts
index 55121be..5c36259 100644
--- a/src/routes/+page.server.ts
+++ b/src/routes/+page.server.ts
@@ -5,7 +5,7 @@ import { get2FARedirect } from "$lib/server/2fa";
 import type { Actions, PageServerLoadEvent, RequestEvent } from "./$types";
 
 export function load(event: PageServerLoadEvent) {
-	if (event.locals.user === null || event.locals.session === null) {
+	if (event.locals.session === null || event.locals.user === null) {
 		return redirect(302, "/login");
 	}
 	if (!event.locals.user.emailVerified) {
diff --git a/src/routes/2fa/passkey/+page.server.ts b/src/routes/2fa/passkey/+page.server.ts
index 2015faf..d25e586 100644
--- a/src/routes/2fa/passkey/+page.server.ts
+++ b/src/routes/2fa/passkey/+page.server.ts
@@ -5,7 +5,7 @@ import { getUserPasskeyCredentials } from "$lib/server/webauthn";
 import type { RequestEvent } from "./$types";
 
 export async function load(event: RequestEvent) {
-	if (event.locals.user === null || event.locals.session === null) {
+	if (event.locals.session === null || event.locals.user === null) {
 		return redirect(302, "/login");
 	}
 	if (!event.locals.user.emailVerified) {
diff --git a/src/routes/2fa/passkey/register/+page.server.ts b/src/routes/2fa/passkey/register/+page.server.ts
index 010afb5..22cfa9b 100644
--- a/src/routes/2fa/passkey/register/+page.server.ts
+++ b/src/routes/2fa/passkey/register/+page.server.ts
@@ -28,7 +28,7 @@ import type {
 import type { Actions, RequestEvent } from "./$types";
 
 export async function load(event: RequestEvent) {
-	if (event.locals.user === null || event.locals.session === null) {
+	if (event.locals.session === null || event.locals.user === null) {
 		return redirect(302, "/login");
 	}
 	if (!event.locals.user.emailVerified) {
diff --git a/src/routes/2fa/reset/+page.server.ts b/src/routes/2fa/reset/+page.server.ts
index 22029fe..e342cb1 100644
--- a/src/routes/2fa/reset/+page.server.ts
+++ b/src/routes/2fa/reset/+page.server.ts
@@ -8,7 +8,7 @@ export const actions: Actions = {
 };
 
 export async function load(event: RequestEvent) {
-	if (event.locals.user === null || event.locals.session === null) {
+	if (event.locals.session === null || event.locals.user === null) {
 		return redirect(302, "/login");
 	}
 	if (!event.locals.user.emailVerified) {
diff --git a/src/routes/2fa/security-key/+page.server.ts b/src/routes/2fa/security-key/+page.server.ts
index 02f319d..2cebebe 100644
--- a/src/routes/2fa/security-key/+page.server.ts
+++ b/src/routes/2fa/security-key/+page.server.ts
@@ -5,7 +5,7 @@ import { getUserSecurityKeyCredentials } from "$lib/server/webauthn";
 import type { RequestEvent } from "./$types";
 
 export async function load(event: RequestEvent) {
-	if (event.locals.user === null || event.locals.session === null) {
+	if (event.locals.session === null || event.locals.user === null) {
 		return redirect(302, "/login");
 	}
 	if (!event.locals.user.emailVerified) {
diff --git a/src/routes/2fa/security-key/register/+page.server.ts b/src/routes/2fa/security-key/register/+page.server.ts
index 2cb8c1f..55b882d 100644
--- a/src/routes/2fa/security-key/register/+page.server.ts
+++ b/src/routes/2fa/security-key/register/+page.server.ts
@@ -32,7 +32,7 @@ import type {
 import type { Actions, RequestEvent } from "./$types";
 
 export async function load(event: RequestEvent) {
-	if (event.locals.user === null || event.locals.session === null) {
+	if (event.locals.session === null || event.locals.user === null) {
 		return redirect(302, "/login");
 	}
 	if (!event.locals.user.emailVerified) {
diff --git a/src/routes/2fa/setup/+page.server.ts b/src/routes/2fa/setup/+page.server.ts
index 909e04b..791a5fe 100644
--- a/src/routes/2fa/setup/+page.server.ts
+++ b/src/routes/2fa/setup/+page.server.ts
@@ -3,7 +3,7 @@ import { redirect } from "@sveltejs/kit";
 import type { RequestEvent } from "./$types";
 
 export async function load(event: RequestEvent) {
-	if (event.locals.user === null || event.locals.session === null) {
+	if (event.locals.session === null || event.locals.user === null) {
 		return redirect(302, "/login");
 	}
 	if (!event.locals.user.emailVerified) {
diff --git a/src/routes/2fa/totp/+page.server.ts b/src/routes/2fa/totp/+page.server.ts
index 85bf5a8..be230cf 100644
--- a/src/routes/2fa/totp/+page.server.ts
+++ b/src/routes/2fa/totp/+page.server.ts
@@ -6,7 +6,7 @@ import { setSessionAs2FAVerified } from "$lib/server/session";
 import type { Actions, RequestEvent } from "./$types";
 
 export async function load(event: RequestEvent) {
-	if (event.locals.user === null || event.locals.session === null) {
+	if (event.locals.session === null || event.locals.user === null) {
 		return redirect(302, "/login");
 	}
 	if (!event.locals.user.emailVerified) {
diff --git a/src/routes/2fa/totp/setup/+page.server.ts b/src/routes/2fa/totp/setup/+page.server.ts
index d242104..dd8d927 100644
--- a/src/routes/2fa/totp/setup/+page.server.ts
+++ b/src/routes/2fa/totp/setup/+page.server.ts
@@ -9,7 +9,7 @@ import { get2FARedirect } from "$lib/server/2fa";
 import type { Actions, RequestEvent } from "./$types";
 
 export async function load(event: RequestEvent) {
-	if (event.locals.user === null || event.locals.session === null) {
+	if (event.locals.session === null || event.locals.user === null) {
 		return redirect(302, "/login");
 	}
 	if (!event.locals.user.emailVerified) {
diff --git a/src/routes/recovery-code/+page.server.ts b/src/routes/recovery-code/+page.server.ts
index 3e39eae..8e3e001 100644
--- a/src/routes/recovery-code/+page.server.ts
+++ b/src/routes/recovery-code/+page.server.ts
@@ -5,7 +5,7 @@ import { get2FARedirect } from "$lib/server/2fa";
 import type { RequestEvent } from "./$types";
 
 export async function load(event: RequestEvent) {
-	if (event.locals.user === null || event.locals.session === null) {
+	if (event.locals.session === null || event.locals.user === null) {
 		return redirect(302, "/login");
 	}
 	if (!event.locals.user.emailVerified) {
diff --git a/src/routes/settings/+page.server.ts b/src/routes/settings/+page.server.ts
index 2aefb99..18c1eec 100644
--- a/src/routes/settings/+page.server.ts
+++ b/src/routes/settings/+page.server.ts
@@ -28,7 +28,7 @@ import type { Actions, RequestEvent } from "./$types";
 import type { SessionFlags } from "$lib/server/session";
 
 export async function load(event: RequestEvent) {
-	if (event.locals.user === null || event.locals.session === null) {
+	if (event.locals.session === null || event.locals.user === null) {
 		return redirect(302, "/login");
 	}
 	if (event.locals.user.registered2FA && !event.locals.session.twoFactorVerified) {
@@ -58,7 +58,7 @@ export const actions: Actions = {
 };
 
 async function updatePasswordAction(event: RequestEvent) {
-	if (event.locals.user === null || event.locals.session === null) {
+	if (event.locals.session === null || event.locals.user === null) {
 		return fail(401, {
 			password: {
 				message: "Not authenticated"
@@ -207,7 +207,7 @@ async function disconnectTOTPAction(event: RequestEvent) {
 }
 
 async function deletePasskeyAction(event: RequestEvent) {
-	if (event.locals.user === null || event.locals.session === null) {
+	if (event.locals.session === null || event.locals.user === null) {
 		return fail(401);
 	}
 	if (!event.locals.user.emailVerified) {
@@ -235,7 +235,7 @@ async function deletePasskeyAction(event: RequestEvent) {
 }
 
 async function deleteSecurityKeyAction(event: RequestEvent) {
-	if (event.locals.user === null || event.locals.session === null) {
+	if (event.locals.session === null || event.locals.user === null) {
 		return fail(401);
 	}
 	if (!event.locals.user.emailVerified) {