If we don't, they will trigger the login handler and invalidate the
current session (if any), which prevents the user from being able to
log in.