diff --git a/controller/controller.go b/controller/controller.go
index 3be1d667180a715dcc138c5b135771b4691062d8..dcd8e0676ff6c5d085ad78829ba4bb2b0ffe73c8 100644
--- a/controller/controller.go
+++ b/controller/controller.go
@@ -447,6 +447,7 @@ func ensureDefaultUserExists() error {
 }
 
 func deletAllExpiredUserTokens() error {
+	var usersToUpdate []rbac.User
 	// Temporarly create JWT manager just to evaluate tokens here
 	jwtManager := rbacImpl.NewJWTManager(config.JWTSecret, config.JWTDuration)
 
@@ -454,7 +455,8 @@ func deletAllExpiredUserTokens() error {
 	if err != nil {
 		return fmt.Errorf("error getting all users while deleting expires user tokens: %w", err)
 	}
-	for i, user := range users {
+
+	for _, user := range users {
 		tokens := user.GetTokens()
 		for _, token := range tokens {
 			claims, err := jwtManager.GetClaimsFromToken(token)
@@ -462,15 +464,16 @@ func deletAllExpiredUserTokens() error {
 				return fmt.Errorf("error getting claims from token while deleting expired user tokens: %w", err)
 			}
 			if claims.ExpiresAt < time.Now().Unix() {
-				err := users[i].RemoveToken(token)
+				err := user.RemoveToken(token)
 				if err != nil {
 					return fmt.Errorf("error removing token while deleting expired user tokens: %w", err)
 				}
+				usersToUpdate = append(usersToUpdate, user)
 			}
 		}
 	}
 
-	for _, user := range users {
+	for _, user := range usersToUpdate {
 		err := c.userService.Update(user)
 		if err != nil {
 			return fmt.Errorf("error updating user while deleting expired user tokens: %w", err)
diff --git a/controller/northbound/server/auth.go b/controller/northbound/server/auth.go
index 9924e5da49b87105acac7d42f1c264a8ecb1e87c..77477e3fba6a050ea64cef5954c4d7920941690f 100644
--- a/controller/northbound/server/auth.go
+++ b/controller/northbound/server/auth.go
@@ -7,6 +7,7 @@ import (
 	"time"
 
 	apb "code.fbi.h-da.de/danet/gosdn/api/go/gosdn/rbac"
+	"code.fbi.h-da.de/danet/gosdn/controller/config"
 	rbacInterfaces "code.fbi.h-da.de/danet/gosdn/controller/interfaces/rbac"
 	"code.fbi.h-da.de/danet/gosdn/controller/metrics"
 	"code.fbi.h-da.de/danet/gosdn/controller/rbac"
@@ -93,7 +94,9 @@ func (s AuthServer) Login(ctx context.Context, request *apb.LoginRequest) (*apb.
 	}
 
 	userToUpdate.AddToken(token)
-
+	for len(userToUpdate.GetTokens()) > config.MaxTokensPerUser {
+		userToUpdate.RemoveToken(userToUpdate.GetTokens()[0])
+	}
 	err = s.userService.Update(userToUpdate)
 	if err != nil {
 		return nil, err
diff --git a/integration-tests/application_tests/application_test.go b/integration-tests/application_tests/application_test.go
index d5b69ae226115918d54656fd38cf4a2de150386f..9b3797a5540cb2c42231729a68b7fd6c6635c6e0 100644
--- a/integration-tests/application_tests/application_test.go
+++ b/integration-tests/application_tests/application_test.go
@@ -100,10 +100,10 @@ func TestMain(m *testing.M) {
 	// a user and role and update the user because of the login. After then only logins are done, no user and role creations.
 	// This means that this will block after trying once, because of the three attempts to read from eventChannels.
 
-	_ = <-application.addEventChannel
-	_ = <-application.addEventChannel
-	_ = <-application.addEventChannel
-	_ = <-application.updateEventChannel
+	<-application.addEventChannel
+	<-application.addEventChannel
+	<-application.addEventChannel
+	<-application.updateEventChannel
 
 	m.Run()
 }