diff --git a/shared/infrastructure/factory.py b/shared/infrastructure/factory.py
index 5c29852..88c84c0 100644
--- a/shared/infrastructure/factory.py
+++ b/shared/infrastructure/factory.py
@@ -147,16 +147,8 @@ def create_base_app(
         g.scheme = request.scheme
         g.host = request.host
 
-    @app.before_request
-    async def _load_user():
-        await load_current_user()
-
-    # Register any app-specific before-request hooks (e.g. cart loader)
-    if before_request_fns:
-        for fn in before_request_fns:
-            app.before_request(fn)
-
     # Auth state check via grant verification + silent OAuth handshake
+    # MUST run before _load_user so stale sessions are cleared first
     if name != "account":
         @app.before_request
         async def _check_auth_state():
@@ -248,6 +240,15 @@ def create_base_app(
                         return
                 return redirect(f"/auth/login?prompt=none&next={_quote(request.url, safe='')}")
 
+    @app.before_request
+    async def _load_user():
+        await load_current_user()
+
+    # Register any app-specific before-request hooks (e.g. cart loader)
+    if before_request_fns:
+        for fn in before_request_fns:
+            app.before_request(fn)
+
     @app.before_request
     async def _csrf_protect():
         await protect()