diff --git a/app/controllers/maintenance/user/deletions_controller.rb b/app/controllers/maintenance/user/deletions_controller.rb
index 9f3f592ce..351b26c1a 100644
--- a/app/controllers/maintenance/user/deletions_controller.rb
+++ b/app/controllers/maintenance/user/deletions_controller.rb
@@ -8,8 +8,6 @@ module Maintenance
         deletion = UserDeletion.new(CurrentUser.user, params[:password])
         deletion.delete!
         session.delete(:user_id)
-        cookies.delete(:password_hash)
-        cookies.delete(:user_name)
         redirect_to(posts_path, :notice => "You are now logged out")
       end
     end
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 140effd02..d9ba48578 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -22,8 +22,6 @@ class SessionsController < ApplicationController
 
   def destroy
     session.delete(:user_id)
-    cookies.delete(:user_name)
-    cookies.delete(:password_hash)
     redirect_to(posts_path, :notice => "You are now logged out")
   end
 
diff --git a/app/logical/session_loader.rb b/app/logical/session_loader.rb
index 78b28798e..4499c0564 100644
--- a/app/logical/session_loader.rb
+++ b/app/logical/session_loader.rb
@@ -1,12 +1,11 @@
 class SessionLoader
   class AuthenticationFailure < StandardError; end
 
-  attr_reader :session, :cookies, :request, :params
+  attr_reader :session, :request, :params
 
   def initialize(request)
     @request = request
     @session = request.session
-    @cookies = request.cookie_jar
     @params = request.parameters
   end
 
@@ -20,8 +19,6 @@ class SessionLoader
       load_param_user(params[:signed_user_id])
     elsif session[:user_id]
       load_session_user
-    elsif cookie_password_hash_valid?
-      load_cookie_user
     end
 
     set_statement_timeout
@@ -91,15 +88,6 @@ class SessionLoader
     CurrentUser.user = user if user
   end
 
-  def load_cookie_user
-    CurrentUser.user = User.find_by_name(cookies.signed[:user_name])
-    session[:user_id] = CurrentUser.user.id
-  end
-
-  def cookie_password_hash_valid?
-    cookies[:password_hash] && cookies.signed[:user_name] && User.authenticate_cookie_hash(cookies.signed[:user_name], cookies[:password_hash])
-  end
-
   def update_last_logged_in_at
     return if CurrentUser.is_anonymous?
     return if CurrentUser.last_logged_in_at && CurrentUser.last_logged_in_at > 1.week.ago
@@ -124,9 +112,5 @@ class SessionLoader
   def initialize_session_cookies
     session.options[:expire_after] = 20.years
     session[:started_at] ||= Time.now.utc.to_s
-
-    # clear out legacy login cookies if present
-    cookies.delete(:user_name)
-    cookies.delete(:password_hash)
   end
 end
diff --git a/app/models/user.rb b/app/models/user.rb
index 89219d85a..770f3795e 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -165,10 +165,6 @@ class User < ApplicationRecord
       BCrypt::Password.new(bcrypt_password_hash)
     end
 
-    def bcrypt_cookie_password_hash
-      bcrypt_password_hash.slice(20, 100)
-    end
-
     def password=(new_password)
       @password = new_password
       self.bcrypt_password_hash = User.bcrypt(new_password)
@@ -205,15 +201,6 @@ class User < ApplicationRecord
         end
       end
 
-      def authenticate_cookie_hash(name, hash)
-        user = find_by_name(name)
-        if user && user.bcrypt_cookie_password_hash == hash
-          user
-        else
-          nil
-        end
-      end
-
       def bcrypt(pass)
         BCrypt::Password.create(sha1(pass))
       end
diff --git a/test/functional/maintenance/user/api_keys_controller_test.rb b/test/functional/maintenance/user/api_keys_controller_test.rb
index 22c037e70..a47ec34b1 100644
--- a/test/functional/maintenance/user/api_keys_controller_test.rb
+++ b/test/functional/maintenance/user/api_keys_controller_test.rb
@@ -23,25 +23,6 @@ module Maintenance
               assert_response :success
             end
 
-            # hard to test this in integrationtest
-            # context "if the user doesn't already have an api key" do
-            #   setup do
-            #     ::User.any_instance.stubs(:api_key).returns(nil)
-            #     cookies[:user_name] = @user.name
-            #     cookies[:password_hash] = @user.bcrypt_cookie_password_hash
-            #   end
-
-            #   should "generate one" do
-            #     ApiKey.expects(:generate!)
-
-            #     assert_difference("ApiKey.count", 1) do
-            #       post view_maintenance_user_api_key_path(user_id: @user.id), params: {user: {password: "password"}}
-            #     end
-
-            #     assert_not_nil(@user.reload.api_key)
-            #   end
-            # end
-
             should "not generate another API key if the user already has one" do
               assert_difference("ApiKey.count", 0) do
                 post_auth view_maintenance_user_api_key_path(user_id: @user.id), @user, params: {user: {password: "password"}}
diff --git a/test/unit/user_test.rb b/test/unit/user_test.rb
index 4ac415fe3..fd62fba11 100644
--- a/test/unit/user_test.rb
+++ b/test/unit/user_test.rb
@@ -151,15 +151,6 @@ class UserTest < ActiveSupport::TestCase
     end
 
     context "password" do
-      should "match the cookie hash" do
-        @user = FactoryBot.create(:user)
-        @user.password = "zugzug5"
-        @user.password_confirmation = "zugzug5"
-        @user.save
-        @user.reload
-        assert(User.authenticate_cookie_hash(@user.name, @user.bcrypt_cookie_password_hash))
-      end
-
       should "match the confirmation" do
         @user = FactoryBot.create(:user)
         @user.old_password = "password"