diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index f540da41bb7..205d79881b6 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -98,6 +98,14 @@ def expert_signed_in?
     current_expert.present?
   end
 
+  # calling current_user in a before_action will trigger the warden authentication (devise behavior)
+  # which is not what we want in a before_action of a sign_in action (current_user should be nil before explicit sign_in)
+  # so we need to override current_user to avoid this
+  # https://github.com/heartcombo/devise/issues/5602#issuecomment-1876164084
+  def current_user
+    super if warden.authenticated?(scope: :user)
+  end
+
   def current_account
     {
       gestionnaire: current_gestionnaire,
diff --git a/spec/controllers/users/sessions_controller_spec.rb b/spec/controllers/users/sessions_controller_spec.rb
index 5ed883879d8..6e72c134d54 100644
--- a/spec/controllers/users/sessions_controller_spec.rb
+++ b/spec/controllers/users/sessions_controller_spec.rb
@@ -99,11 +99,12 @@
 
     context 'when email domain is in mandatory list' do
       let(:email) { 'user@beta.gouv.fr' }
-      it 'redirects to agent connect with force parameter' do
+      it 'redirects to agent connect with force parameter and is not logged in' do
         expect(AgentConnectService).to receive(:enabled?).and_return(true)
         subject
         expect(response).to redirect_to(agent_connect_path(force_agent_connect: true))
         expect(flash[:alert]).to eq("La connexion des agents passe à présent systématiquement par AgentConnect")
+        expect(controller.current_user).to be_nil
       end
     end
   end