diff --git a/internal/session/auth.go b/internal/session/auth.go
index 5eb23bdb..e98c755f 100644
--- a/internal/session/auth.go
+++ b/internal/session/auth.go
@@ -19,6 +19,10 @@ func (manager *SessionManagerCtx) Authenticate(r *http.Request) (types.Session,
 		return nil, fmt.Errorf("session not found")
 	}
 
+	if !session.Profile().CanLogin {
+		return nil, fmt.Errorf("login disabled")
+	}
+
 	return session, nil
 }