diff --git a/main.go b/main.go
index c36a66e..a9db79c 100644
--- a/main.go
+++ b/main.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"crypto/sha512"
 	"embed"
 	"flag"
 	"fmt"
@@ -136,7 +137,7 @@ func init() {
 	util.SendgridApiKey = flagSendgridApiKey
 	util.EmailFrom = flagEmailFrom
 	util.EmailFromName = flagEmailFromName
-	util.SessionSecret = []byte(flagSessionSecret)
+	util.SessionSecret = sha512.Sum512([]byte(flagSessionSecret))
 	util.WgConfTemplate = flagWgConfTemplate
 	util.BasePath = util.ParseBasePath(flagBasePath)
 	util.SubnetRanges = util.ParseSubnetRanges(flagSubnetRanges)
diff --git a/router/router.go b/router/router.go
index 569ebaf..58e3ec7 100644
--- a/router/router.go
+++ b/router/router.go
@@ -48,9 +48,20 @@ func (t *TemplateRegistry) Render(w io.Writer, name string, data interface{}, c
 }
 
 // New function
-func New(tmplDir fs.FS, extraData map[string]interface{}, secret []byte) *echo.Echo {
+func New(tmplDir fs.FS, extraData map[string]interface{}, secret [64]byte) *echo.Echo {
 	e := echo.New()
-	e.Use(session.Middleware(sessions.NewCookieStore(secret)))
+
+	cookiePath := util.BasePath
+	if cookiePath == "" {
+		cookiePath = "/"
+	}
+
+	cookieStore := sessions.NewCookieStore(secret[:32], secret[32:])
+	cookieStore.Options.Path = cookiePath
+	cookieStore.Options.HttpOnly = true
+	cookieStore.MaxAge(86400 * 7)
+
+	e.Use(session.Middleware(cookieStore))
 
 	// read html template file to string
 	tmplBaseString, err := util.StringFromEmbedFile(tmplDir, "base.html")
diff --git a/util/config.go b/util/config.go
index 796775c..acc3a79 100644
--- a/util/config.go
+++ b/util/config.go
@@ -22,7 +22,7 @@ var (
 	SendgridApiKey    string
 	EmailFrom         string
 	EmailFromName     string
-	SessionSecret     []byte
+	SessionSecret     [64]byte
 	WgConfTemplate    string
 	BasePath          string
 	SubnetRanges      map[string]([]*net.IPNet)