diff --git a/CHANGELOG.md b/CHANGELOG.md
index d2f461b8..6e79c123 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@
 * Provide `<IfAnyPermission>` and `stripes.hasAnyPermission()`. Refs STCOR-910.
 * Use the `users-keycloak/_self` endpoint conditionally when the `users-keycloak` interface is present; otherwise, use `bl-users/_self` within `useUserTenantPermissions`. Refs STCOR-905.
 * Don't override initial discovery and okapi data in test mocks. Refs STCOR-913.
+* On resuming session, spread session and `_self` together to preserve session values. Refs STCOR-912.
 
 ## [10.2.0](https://github.com/folio-org/stripes-core/tree/v10.2.0) (2024-10-11)
 [Full Changelog](https://github.com/folio-org/stripes-core/compare/v10.1.1...v10.2.0)
diff --git a/src/loginServices.js b/src/loginServices.js
index 9216bedb..7403ada1 100644
--- a/src/loginServices.js
+++ b/src/loginServices.js
@@ -807,7 +807,10 @@ export function validateUser(okapiUrl, store, tenant, session) {
         // data isn't provided by _self.
         store.dispatch(setSessionData({
           isAuthenticated: true,
-          user,
+          // spread data from the previous session (which may include session-specific
+          // values such as the current service point), and the restructured user object
+          // (which includes permissions in a lookup-friendly way)
+          user: { ...session.user, ...user },
           perms,
           tenant: sessionTenant,
           token,
diff --git a/src/loginServices.test.js b/src/loginServices.test.js
index 16163936..dcf5657b 100644
--- a/src/loginServices.test.js
+++ b/src/loginServices.test.js
@@ -350,7 +350,11 @@ describe('validateUser', () => {
     };
 
     const session = {
-      user: { id: 'id', username: 'username' },
+      user: {
+        id: 'id',
+        username: 'username',
+        storageOnlyValue: 'is still persisted',
+      },
       perms: { foo: true },
       tenant: sessionTenant,
       token: 'token',
@@ -361,7 +365,7 @@ describe('validateUser', () => {
     await validateUser('url', store, tenant, session);
 
     const updatedSession = {
-      user: data.user,
+      user: { ...session.user, ...data.user },
       isAuthenticated: true,
       perms: { ask: true, tell: true },
       tenant: session.tenant,