diff --git a/lib/browser/api/app.js b/lib/browser/api/app.js
index f8a531626bf7..09835a792e0e 100644
--- a/lib/browser/api/app.js
+++ b/lib/browser/api/app.js
@@ -1,6 +1,7 @@
 'use strict'
 
-const {deprecate, Menu, session} = require('electron')
+const electron = require('electron')
+const {deprecate, Menu} = electron
 const {EventEmitter} = require('events')
 
 const bindings = process.atomBinding('app')
@@ -49,7 +50,7 @@ app.allowNTLMCredentialsForAllDomains = function (allow) {
   if (!this.isReady()) {
     this.commandLine.appendSwitch('auth-server-whitelist', domains)
   } else {
-    session.defaultSession.allowNTLMCredentialsForDomains(domains)
+    electron.session.defaultSession.allowNTLMCredentialsForDomains(domains)
   }
 }
 
diff --git a/lib/browser/api/web-contents.js b/lib/browser/api/web-contents.js
index cb8cf41e3aa6..059f204e1ee7 100644
--- a/lib/browser/api/web-contents.js
+++ b/lib/browser/api/web-contents.js
@@ -1,7 +1,11 @@
 'use strict'
 
 const {EventEmitter} = require('events')
-const {ipcMain, Menu, NavigationController} = require('electron')
+const {ipcMain, session, Menu, NavigationController} = require('electron')
+
+// session is not used here, the purpose is to make sure session is initalized
+// before the webContents module.
+session
 
 const binding = process.atomBinding('web_contents')
 const debuggerBinding = process.atomBinding('debugger')