diff --git a/server/src/game/isActive.go b/server/src/game/isActive.go
new file mode 100644
index 0000000..fb4564b
--- /dev/null
+++ b/server/src/game/isActive.go
@@ -0,0 +1,8 @@
+package game
+
+func (gm *Game) IsActive() bool {
+	gm.mu.Lock()
+	defer gm.mu.Unlock()
+
+	return gm.state != STATE_DISABLED
+}
diff --git a/server/src/game/setGameState.go b/server/src/game/setGameState.go
index 2216450..921846d 100644
--- a/server/src/game/setGameState.go
+++ b/server/src/game/setGameState.go
@@ -3,7 +3,8 @@ package game
 func (gm *Game) SetGameState(stateJson *GameStateJson) {
 	if stateJson.State == "idle" ||
 		stateJson.State == "collect" ||
-		stateJson.State == "final" {
+		stateJson.State == "final" ||
+		stateJson.State == "disabled" {
 
 		gm.state = stateJson.State
 		gm.phase = ""
diff --git a/server/src/handler/login.go b/server/src/handler/login.go
index 2c59d36..39e409e 100644
--- a/server/src/handler/login.go
+++ b/server/src/handler/login.go
@@ -33,6 +33,16 @@ func (authMux *AuthMux) Login(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if !usr.IsAdmin() {
+		gm, err := authMux.app.GetGameById(usr.GetGameId())
+		if err != nil || !gm.IsActive() {
+			log.ErrorLog(fmt.Errorf("game %s disabled for user %s", gm.GetId(), usr.GetName()))
+			http.SetCookie(w, authMux.createCookie())
+			authMux.accessDenied(w, r)
+			return
+		}
+	}
+
 	log.Info("%s logged into game %s\n", usr.GetName(), usr.GetGameId())
 
 	cookie := authMux.createCookie()
@@ -41,7 +51,6 @@ func (authMux *AuthMux) Login(w http.ResponseWriter, r *http.Request) {
 	http.SetCookie(w, cookie)
 	w.Header().Add("Content-Type", "text/plain")
 	fmt.Fprintf(w, "ok")
-
 }
 
 func (authMux *AuthMux) checkCode(r *http.Request) (*user.User, error) {
@@ -62,31 +71,34 @@ func (authMux *AuthMux) checkCode(r *http.Request) (*user.User, error) {
 }
 
 func (authMux *AuthMux) Cameo(usr *user.User, w http.ResponseWriter, r *http.Request) {
-	if !usr.IsAdmin() {
-		usrCameo := usr.GetCameo()
-		if usrCameo != nil && usrCameo.IsAdmin() {
-			cookie := authMux.createCookie()
-			cookie.Name = cookie.Name + "-cameo"
+	if usr.IsAdmin() {
+		cookie := authMux.createCookie()
+		cookie.Name = cookie.Name + "-cameo"
+		usrCameo, err := authMux.checkCode(r)
+		if err != nil {
 			http.SetCookie(w, cookie)
-			w.Header().Add("Content-Type", "text/plain")
-			fmt.Fprintf(w, "ok")
+			authMux.accessDenied(w, r)
 			return
 		}
-		authMux.accessDenied(w, r)
+
+		cookie.Value = usrCameo.GetId()
+		cookie.MaxAge = 0
+		http.SetCookie(w, cookie)
+		w.Header().Add("Content-Type", "text/plain")
+		fmt.Fprintf(w, "ok")
 		return
 	}
 
-	cookie := authMux.createCookie()
-	cookie.Name = cookie.Name + "-cameo"
-	usrCameo, err := authMux.checkCode(r)
-	if err != nil {
+	// non-admin: remove cameo cookie
+	usrCameo := usr.GetCameo()
+	if usrCameo != nil && usrCameo.IsAdmin() {
+		cookie := authMux.createCookie()
+		cookie.Name = cookie.Name + "-cameo"
 		http.SetCookie(w, cookie)
-		authMux.accessDenied(w, r)
+		w.Header().Add("Content-Type", "text/plain")
+		fmt.Fprintf(w, "ok")
 		return
 	}
-	cookie.Value = usrCameo.GetId()
-	cookie.MaxAge = 0
-	http.SetCookie(w, cookie)
-	w.Header().Add("Content-Type", "text/plain")
-	fmt.Fprintf(w, "ok")
+
+	authMux.accessDenied(w, r)
 }
diff --git a/server/src/handler/private.go b/server/src/handler/private.go
index 4cdaff2..98bf22b 100644
--- a/server/src/handler/private.go
+++ b/server/src/handler/private.go
@@ -50,6 +50,17 @@ func (authMux *AuthMux) getUserFromSession(r *http.Request) (*user.User, error)
 				return usrNew, nil
 			}
 		}
+
+		return usr, nil
+	}
+
+	// check if game is active
+	gm, err := authMux.app.GetGameById(usr.GetGameId())
+	if err != nil {
+		return nil, err
+	}
+	if !gm.IsActive() {
+		return nil, fmt.Errorf("game %s disabled for user %s (%s)", gm.GetId(), usr.GetId(), usr.GetName())
 	}
 
 	return usr, nil