diff --git a/internal/db/session.go b/internal/db/session.go
index e8dce441..35c778c3 100644
--- a/internal/db/session.go
+++ b/internal/db/session.go
@@ -38,10 +38,12 @@ func DeleteSessionsBefore(ts int64) error {
 	return errors.WithStack(db.Where("last_active < ?", ts).Delete(&model.Session{}).Error)
 }
 
-func GetOldestSession(userID uint) (*model.Session, error) {
+// GetOldestActiveSession returns the oldest active session for the specified user.
+func GetOldestActiveSession(userID uint) (*model.Session, error) {
 	var s model.Session
-	if err := db.Where("user_id = ?", userID).Order("last_active ASC").First(&s).Error; err != nil {
-		return nil, errors.Wrap(err, "failed get oldest session")
+	if err := db.Where("user_id = ? AND status = ?", userID, model.SessionActive).
+		Order("last_active ASC").First(&s).Error; err != nil {
+		return nil, errors.Wrap(err, "failed get oldest active session")
 	}
 	return &s, nil
 }
diff --git a/internal/device/session.go b/internal/device/session.go
index a5f1711b..1d9e7ea5 100644
--- a/internal/device/session.go
+++ b/internal/device/session.go
@@ -47,7 +47,7 @@ func Handle(userID uint, deviceKey, ua, ip string) error {
 		if count >= int64(max) {
 			policy := setting.GetStr(conf.DeviceEvictPolicy, "deny")
 			if policy == "evict_oldest" {
-				if oldest, err := db.GetOldestSession(userID); err == nil {
+				if oldest, err := db.GetOldestActiveSession(userID); err == nil {
 					if err := db.MarkInactive(oldest.DeviceKey); err != nil {
 						return err
 					}
@@ -81,7 +81,7 @@ func EnsureActiveOnLogin(userID uint, deviceKey, ua, ip string) error {
 				if count >= int64(max) {
 					policy := setting.GetStr(conf.DeviceEvictPolicy, "deny")
 					if policy == "evict_oldest" {
-						if oldest, gerr := db.GetOldestSession(userID); gerr == nil {
+						if oldest, gerr := db.GetOldestActiveSession(userID); gerr == nil {
 							if err := db.MarkInactive(oldest.DeviceKey); err != nil {
 								return err
 							}
@@ -111,7 +111,7 @@ func EnsureActiveOnLogin(userID uint, deviceKey, ua, ip string) error {
 		if count >= int64(max) {
 			policy := setting.GetStr(conf.DeviceEvictPolicy, "deny")
 			if policy == "evict_oldest" {
-				if oldest, gerr := db.GetOldestSession(userID); gerr == nil {
+				if oldest, gerr := db.GetOldestActiveSession(userID); gerr == nil {
 					if err := db.MarkInactive(oldest.DeviceKey); err != nil {
 						return err
 					}