diff --git a/frontend/src/router/index.js b/frontend/src/router/index.js
index 73024d4..c21d8c7 100644
--- a/frontend/src/router/index.js
+++ b/frontend/src/router/index.js
@@ -72,7 +72,6 @@ const router = createRouter({
 
 router.beforeEach(async (to) => {
   const auth = authStore()
-  const sec = securityStore()
 
   // check if the request was a successful oauth login
   if ('wgLoginState' in to.query && !auth.IsAuthenticated) {
@@ -122,8 +121,13 @@ router.beforeEach(async (to) => {
     auth.SetReturnUrl(to.fullPath) // store original destination before starting the auth process
     return '/login'
   }
+})
 
-  if (publicPages.includes(to.path)) {
+router.afterEach(async (to, from) => {
+  const sec = securityStore()
+  const csrfPages = ['/login']
+
+  if (csrfPages.includes(to.path)) {
     await sec.LoadSecurityProperties() // make sure we have a valid csrf token
   }
 })
diff --git a/internal/app/api/core/middleware/csrf/middleware.go b/internal/app/api/core/middleware/csrf/middleware.go
index ffa7bc2..688b6a8 100644
--- a/internal/app/api/core/middleware/csrf/middleware.go
+++ b/internal/app/api/core/middleware/csrf/middleware.go
@@ -68,14 +68,14 @@ func (m *Middleware) RefreshToken(next http.Handler) http.Handler {
 
 		// mask the token
 		maskedToken := maskToken(token, key)
-
-		// store the encoded token in the session
 		encodedToken := encodeToken(maskedToken)
-		m.o.sessionWriter(r, encodedToken)
 
 		// pass the token down the chain via the context
 		r = r.WithContext(setToken(r.Context(), encodedToken))
 
+		// store the token in the session
+		m.o.sessionWriter(r, encodedToken)
+
 		next.ServeHTTP(w, r)
 	})
 }