FIX: Login

auth/auth_functions.php

@@ -9,7 +9,27 @@ if (session_status() === PHP_SESSION_NONE) {
     ini_set('session.cookie_httponly', 1);
     ini_set('session.use_strict_mode', 1);
     ini_set('session.cookie_samesite', 'Lax');
+    // Set Secure flag when served over HTTPS (also handles reverse proxies)
+    $isHttps = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')
+        || (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https')
+        || (!empty($_SERVER['HTTP_X_FORWARDED_SSL']) && $_SERVER['HTTP_X_FORWARDED_SSL'] === 'on');
+    ini_set('session.cookie_secure', $isHttps ? 1 : 0);
+
+    // Determine if this is the login page (the only page allowed to create a new session cookie)
+    $isLoginPage = (strpos($_SERVER['SCRIPT_NAME'] ?? '', '/auth/login.php') !== false);
+
+    if (!isset($_COOKIE[session_name()]) && !$isLoginPage) {
+        // No existing session cookie and not the login page:
+        // Start session without sending a Set-Cookie header to prevent
+        // sub-resource requests (favicon.ico, robots.txt, etc.) from
+        // overwriting the valid session cookie in the browser.
+        // With use_cookies=0 and use_only_cookies=1 (default), PHP starts
+        // a session but sends no Set-Cookie header.
+        ini_set('session.use_cookies', 0);
         session_start();
+    } else {
+        session_start();
+    }
 }
 
 /**

robots.txt

@@ -0,0 +1,2 @@
+User-agent: *
+Disallow: /