diff --git a/pkg/middleware/middleware.go b/pkg/middleware/middleware.go
index 60869d7bd1f..0635ad55c64 100644
--- a/pkg/middleware/middleware.go
+++ b/pkg/middleware/middleware.go
@@ -61,28 +61,6 @@ func GetContextHandler(ats *auth.UserAuthTokenService) macaron.Handler {
 
 		c.Map(ctx)
 
-		//if signed in with token
-		rotated, err := ats.RefreshToken(ctx.UserToken, ctx.RemoteAddr(), ctx.Req.UserAgent())
-		if err != nil {
-			ctx.Logger.Error("failed to rotate token", "error", err)
-			return
-		}
-
-		if rotated {
-			ctx.Logger.Info("new token", "unhashed token", ctx.UserToken.UnhashedToken)
-			ctx.Resp.Header().Del("Set-Cookie")
-			cookie := http.Cookie{
-				Name:     "grafana_session",
-				Value:    url.QueryEscape(ctx.UserToken.UnhashedToken),
-				HttpOnly: true,
-				//MaxAge:   600,
-				Domain: setting.Domain,
-				Path:   setting.AppSubUrl + "/",
-			}
-
-			ctx.Resp.Header().Add("Set-Cookie", cookie.String())
-		}
-
 		// update last seen every 5min
 		if ctx.ShouldUpdateLastSeenAt() {
 			ctx.Logger.Debug("Updating last user_seen_at", "user_id", ctx.UserId)
@@ -114,6 +92,7 @@ func initContextWithAnonymousUser(ctx *m.ReqContext) bool {
 }
 
 func initContextWithToken(ctx *m.ReqContext, orgID int64, ts *auth.UserAuthTokenService) bool {
+	//auth User
 	unhashedToken := ctx.GetCookie("grafana_session")
 	if unhashedToken == "" {
 		return false
@@ -135,6 +114,27 @@ func initContextWithToken(ctx *m.ReqContext, orgID int64, ts *auth.UserAuthToken
 	ctx.IsSignedIn = true
 	ctx.UserToken = user
 
+	//rotate session token if needed.
+	rotated, err := ts.RefreshToken(ctx.UserToken, ctx.RemoteAddr(), ctx.Req.UserAgent())
+	if err != nil {
+		ctx.Logger.Error("failed to rotate token", "error", err, "user.id", user.UserId, "user_token.id", user.Id)
+		return true
+	}
+
+	if rotated {
+		ctx.Logger.Info("new token", "unhashed token", ctx.UserToken.UnhashedToken)
+		ctx.Resp.Header().Del("Set-Cookie")
+		cookie := http.Cookie{
+			Name:     "grafana_session",
+			Value:    url.QueryEscape(ctx.UserToken.UnhashedToken),
+			HttpOnly: true,
+			Domain:   setting.Domain,
+			Path:     setting.AppSubUrl + "/",
+		}
+
+		ctx.Resp.Header().Add("Set-Cookie", cookie.String())
+	}
+
 	return true
 }
 
diff --git a/pkg/services/auth/auth_token.go b/pkg/services/auth/auth_token.go
index 1b2c7307923..5a5b5fb005c 100644
--- a/pkg/services/auth/auth_token.go
+++ b/pkg/services/auth/auth_token.go
@@ -190,7 +190,7 @@ func (s *UserAuthTokenService) RefreshToken(token *models.UserAuthToken, clientI
 		needsRotation = rotatedAt.Before(now().Add(time.Duration(-30) * time.Second))
 	}
 
-	s.log.Info("refresh token", "needs rotation?", needsRotation, "auth_token_seen", token.AuthTokenSeen, "rotated_at", rotatedAt, "token.Id", token.Id)
+	s.log.Debug("refresh token", "needs rotation?", needsRotation, "auth_token_seen", token.AuthTokenSeen, "rotated_at", rotatedAt, "token.Id", token.Id)
 	if !needsRotation {
 		return false, nil
 	}
@@ -216,7 +216,7 @@ func (s *UserAuthTokenService) RefreshToken(token *models.UserAuthToken, clientI
 	}
 
 	affected, _ := res.RowsAffected()
-	s.log.Info("rotated", "affected", affected, "auth_token_id", token.Id, "userId", token.UserId, "user_agent", userAgent, "client_ip", clientIP)
+	s.log.Debug("rotated", "affected", affected, "auth_token_id", token.Id, "userId", token.UserId, "user_agent", userAgent, "client_ip", clientIP)
 	if affected > 0 {
 		token.UnhashedToken = newToken
 		return true, nil