diff --git a/src/routes/api/login.js b/src/routes/api/login.js
index bdb289d04..7ecb4ac18 100644
--- a/src/routes/api/login.js
+++ b/src/routes/api/login.js
@@ -57,6 +57,7 @@ async function loginToProtectedSession(req) {
 
     const protectedSessionId = protectedSessionService.setDataKey(decryptedDataKey);
 
+    // this is set here so that event handlers have access to the protected session
     cls.namespace.set('protectedSessionId', protectedSessionId);
 
     eventService.emit(eventService.ENTER_PROTECTED_SESSION);
diff --git a/src/routes/api/tree.js b/src/routes/api/tree.js
index 40f26aff1..f1d0ac8d4 100644
--- a/src/routes/api/tree.js
+++ b/src/routes/api/tree.js
@@ -37,7 +37,7 @@ async function getTree() {
               JOIN tree ON branches.parentNoteId = tree.noteId
               WHERE tree.isExpanded = 1 AND branches.isDeleted = 0
           )
-        SELECT branches.* FROM tree JOIN branches USING(noteId)`);
+        SELECT branches.* FROM tree JOIN branches USING(noteId) ORDER BY branches.notePosition`);
 
     const noteIds = branches.map(b => b.noteId);