diff --git a/data/web/inc/triggers.inc.php b/data/web/inc/triggers.inc.php
index 360f57277..a49ba78c8 100644
--- a/data/web/inc/triggers.inc.php
+++ b/data/web/inc/triggers.inc.php
@@ -4,6 +4,7 @@ if (!empty($_GET['sso_token'])) {
   $username = domain_admin_sso('check', $_GET['sso_token']);
 
   if ($username !== false) {
+    session_regenerate_id();
     $_SESSION['mailcow_cc_username'] = $username;
     $_SESSION['mailcow_cc_role'] = 'domainadmin';
     header('Location: /mailbox');
@@ -87,18 +88,21 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
 	$as = check_login($login_user, $_POST["pass_user"]);
 
 	if ($as == "admin") {
+    session_regenerate_id();
 		$_SESSION['mailcow_cc_username'] = $login_user;
 		$_SESSION['mailcow_cc_role'] = "admin";
 		header("Location: /debug");
     die();
 	}
 	elseif ($as == "domainadmin") {
+    session_regenerate_id();
 		$_SESSION['mailcow_cc_username'] = $login_user;
 		$_SESSION['mailcow_cc_role'] = "domainadmin";
 		header("Location: /mailbox");
     die();
 	}
 	elseif ($as == "user") {
+    session_regenerate_id();
 		$_SESSION['mailcow_cc_username'] = $login_user;
 		$_SESSION['mailcow_cc_role'] = "user";
     $http_parameters = explode('&', $_SESSION['index_query_string']);
@@ -122,7 +126,9 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
     unset($_SESSION['pending_tfa_methods']);
 		unset($_SESSION['mailcow_cc_username']);
 		unset($_SESSION['mailcow_cc_role']);
-	}
+	} else {
+    session_regenerate_id();
+  }
 }
 
 if (isset($_SESSION['mailcow_cc_role']) && (isset($_SESSION['acl']['login_as']) && $_SESSION['acl']['login_as'] == "1")) {