diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
index 2b65f31af28911528525d35d7774c4b7ca1d5810..6219a89e5b3b08ffa14b509519a2c4cf31198cb0 100644
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@@ -280,7 +280,7 @@ class Session implements IUserSession, Emitter {
 	 */
 	public function login($uid, $password) {
 		$this->session->regenerateId();
-		if ($this->validateToken($password)) {
+		if ($this->validateToken($password, $uid)) {
 			// When logging in with token, the password must be decrypted first before passing to login hook
 			try {
 				$token = $this->tokenProvider->getToken($password);
@@ -584,15 +584,24 @@ class Session implements IUserSession, Emitter {
 	 * Invalidates the token if checks fail
 	 *
 	 * @param string $token
+	 * @param string $user login name
 	 * @return boolean
 	 */
-	private function validateToken($token) {
+	private function validateToken($token, $user = null) {
 		try {
 			$dbToken = $this->tokenProvider->getToken($token);
 		} catch (InvalidTokenException $ex) {
 			return false;
 		}
 
+		// Check if login names match
+		if (!is_null($user) && $dbToken->getLoginName() !== $user) {
+			// TODO: this makes it imposssible to use different login names on browser and client
+			// e.g. login by e-mail 'user@example.com' on browser for generating the token will not
+			//      allow to use the client token with the login name 'user'.
+			return false;
+		}
+
 		if (!$this->checkTokenCredentials($dbToken, $token)) {
 			return false;
 		}
diff --git a/tests/lib/User/SessionTest.php b/tests/lib/User/SessionTest.php
index eef4c7ff5ea63627915d596ccf8bd862b79524d0..447c6142f3414676c3432a6faa0365dfb83547d6 100644
--- a/tests/lib/User/SessionTest.php
+++ b/tests/lib/User/SessionTest.php
@@ -314,6 +314,36 @@ class SessionTest extends \Test\TestCase {
 		$userSession->login('foo', 'bar');
 	}
 
+	/**
+	 * When using a device token, the loginname must match the one that was used
+	 * when generating the token on the browser.
+	 */
+	public function testLoginWithDifferentTokenLoginName() {
+		$session = $this->getMock('\OC\Session\Memory', array(), array(''));
+		$manager = $this->getMock('\OC\User\Manager');
+		$backend = $this->getMock('\Test\Util\User\Dummy');
+		$userSession = new \OC\User\Session($manager, $session, $this->timeFactory, $this->tokenProvider, $this->config);
+		$username = 'user123';
+		$token = new \OC\Authentication\Token\DefaultToken();
+		$token->setLoginName($username);
+
+		$session->expects($this->never())
+			->method('set');
+		$session->expects($this->once())
+			->method('regenerateId');
+		$this->tokenProvider->expects($this->once())
+			->method('getToken')
+			->with('bar')
+			->will($this->returnValue($token));
+
+		$manager->expects($this->once())
+			->method('checkPassword')
+			->with('foo', 'bar')
+			->will($this->returnValue(false));
+
+		$userSession->login('foo', 'bar');
+	}
+
 	/**
 	 * @expectedException \OC\Authentication\Exceptions\PasswordLoginForbiddenException
 	 */