diff --git a/backend/src/core/middlewares/auth.middleware.ts b/backend/src/core/middlewares/auth.middleware.ts
index 9260a902d..d01ad3692 100644
--- a/backend/src/core/middlewares/auth.middleware.ts
+++ b/backend/src/core/middlewares/auth.middleware.ts
@@ -253,9 +253,15 @@ export const InitAuthMiddleware = (authService: AuthService) => {
     const { code } = req.body
     const logMeta = { code, action: 'verifySgidCode' }
     try {
-      if (!req.session) {
+      /*
+        Since Feb 8 2024, this endpoint is called twice when users attempt to log in via SGID on GSIB machines.
+        This is most likely due to *.postman.gov.sg being whitelisted on SGProxy but the SGID url is not.
+        The additional API call is made without req.session.sgid set and thus we add a check here and return a HTTP 400
+        if this is the case.
+      */
+      if (!req.session || !req.session.sgid) {
         logger.error({ message: 'Session object not found!', ...logMeta })
-        return res.sendStatus(401)
+        return res.sendStatus(400)
       }
       const sgidUserInfo = await authService.verifySgidCode(req, code)
       if (!sgidUserInfo.authenticated) {
diff --git a/backend/src/core/services/auth.service.ts b/backend/src/core/services/auth.service.ts
index 98be5bb59..9376fa7f4 100644
--- a/backend/src/core/services/auth.service.ts
+++ b/backend/src/core/services/auth.service.ts
@@ -362,7 +362,8 @@ export const InitAuthService = (redisService: RedisService): AuthService => {
   }
 
   /**
-   * Checks the user's sgID code and returns their singpass info if valid
+   * Checks the user's sgID code and returns their singpass info if valid.
+   * This function assumes that req.session.sgid has already been validated by the calling function.
    * @param req
    * @param code
    */
@@ -373,10 +374,7 @@ export const InitAuthService = (redisService: RedisService): AuthService => {
     | { authenticated: true; data: UserInfoReturn }
     | { authenticated: false; reason: string }
   > => {
-    if (!req.session || !req.session.sgid) {
-      throw new Error('Unable to find user session')
-    }
-    const { codeVerifier, nonce } = req.session.sgid
+    const { codeVerifier, nonce } = req.session!.sgid
 
     if (typeof codeVerifier !== 'string' || typeof nonce !== 'string') {
       throw new Error('Invalid parameter types')