diff --git a/internal/session/auth.go b/internal/session/auth.go
index 6e6eaaa1..b12c2637 100644
--- a/internal/session/auth.go
+++ b/internal/session/auth.go
@@ -55,6 +55,14 @@ func (manager *SessionManagerCtx) Authenticate(r *http.Request) (types.Session,
 }
 
 func (manager *SessionManagerCtx) getToken(r *http.Request) (string, bool) {
+	if manager.CookieEnabled() {
+		// get from Cookie
+		cookie, err := r.Cookie(manager.config.CookieName)
+		if err == nil {
+			return cookie.Value, true
+		}
+	}
+
 	// get from Header
 	reqToken := r.Header.Get("Authorization")
 	splitToken := strings.Split(reqToken, "Bearer ")
@@ -62,12 +70,6 @@ func (manager *SessionManagerCtx) getToken(r *http.Request) (string, bool) {
 		return strings.TrimSpace(splitToken[1]), true
 	}
 
-	// get from Cookie
-	cookie, err := r.Cookie(manager.config.CookieName)
-	if err == nil {
-		return cookie.Value, true
-	}
-
 	// get from URL
 	token := r.URL.Query().Get("token")
 	if token != "" {