diff --git a/keyserver/src/creators/account-creator.js b/keyserver/src/creators/account-creator.js
--- a/keyserver/src/creators/account-creator.js
+++ b/keyserver/src/creators/account-creator.js
@@ -32,7 +32,10 @@
 
 import createIDs from './id-creator.js';
 import createMessages from './message-creator.js';
-import { createAndPersistOlmSession } from './olm-session-creator.js';
+import {
+  persistFreshOlmSession,
+  createOlmSession,
+} from './olm-session-creator.js';
 import {
   createThread,
   createPrivateThread,
@@ -97,6 +100,18 @@
     throw new ServerError('username_taken');
   }
 
+  // Olm sessions have to be created before createNewUserCookie is called,
+  // to avoid propagating a user cookie in case session creation fails
+  const olmNotifSession = await (async () => {
+    if (initialNotificationsEncryptedMessage) {
+      return await createOlmSession(
+        initialNotificationsEncryptedMessage,
+        'notifications',
+      );
+    }
+    return null;
+  })();
+
   const hash = bcrypt.hashSync(request.password);
   const time = Date.now();
   const deviceToken = request.deviceTokenUpdateRequest
@@ -124,10 +139,10 @@
     await setNewSession(viewer, calendarQuery, 0);
   }
 
-  const olmSessionPromise = (async () => {
-    if (userViewerData.cookieID && initialNotificationsEncryptedMessage) {
-      await createAndPersistOlmSession(
-        initialNotificationsEncryptedMessage,
+  const persistOlmNotifSessionPromise = (async () => {
+    if (olmNotifSession && userViewerData.cookieID) {
+      await persistFreshOlmSession(
+        olmNotifSession,
         'notifications',
         userViewerData.cookieID,
       );
@@ -144,7 +159,7 @@
       { forceAddMembers: true, silenceMessages: true, ignorePermissions: true },
     ),
     viewerAcknowledgmentUpdater(viewer, policyTypes.tosAndPrivacyPolicy),
-    olmSessionPromise,
+    persistOlmNotifSessionPromise,
   ]);
 
   const [privateThreadResult, ashoatThreadResult] = await Promise.all([