diff --git a/app.py b/app.py
index 6b6af9a..1210e5b 100644
--- a/app.py
+++ b/app.py
@@ -188,7 +188,7 @@ def login():
         # Set cookie parameters to work with Zoraxy/Authelia
         response.set_cookie(
             key=app.config['SESSION_COOKIE_NAME'],
-            value=request.cookies.get(app.config['SESSION_COOKIE_NAME']),
+            value=secrets.token_urlsafe(32),  # Generate a new token instead of using session.sid
             max_age=int(app.config['PERMANENT_SESSION_LIFETIME'].total_seconds()),
             path=app.config['SESSION_COOKIE_PATH'],
             secure=app.config['SESSION_COOKIE_SECURE'],
@@ -216,12 +216,11 @@ def login():
             
             # Manually set cookie with correct parameters for Zoraxy
             if ZORAXY_COOKIE_FIX:
-                max_age = int(app.config['PERMANENT_SESSION_LIFETIME'].total_seconds())
-                cookie_value = request.cookies.get(app.config['SESSION_COOKIE_NAME']) or session.sid
+                session_token = secrets.token_urlsafe(32)  # Generate a new token
                 response.set_cookie(
                     app.config['SESSION_COOKIE_NAME'],
-                    cookie_value,
-                    max_age=max_age,
+                    session_token,
+                    max_age=int(app.config['PERMANENT_SESSION_LIFETIME'].total_seconds()),
                     secure=app.config['SESSION_COOKIE_SECURE'],
                     httponly=app.config['SESSION_COOKIE_HTTPONLY'],
                     samesite='None',
@@ -243,6 +242,8 @@ def login():
         logger.info(f"Cookies: {request.cookies}")
         logger.info(f"Client IP: {request.remote_addr}")
         logger.info(f"X-Forwarded-For: {request.headers.get('X-Forwarded-For')}")
+        # Log all headers to see what's coming from Authelia
+        logger.info(f"All headers: {dict(request.headers)}")
     
     # Show login form
     return render_template('login.html')
@@ -311,12 +312,11 @@ def index():
         response = make_response(render_template('index.html'))
         
         if ZORAXY_COOKIE_FIX:
-            max_age = int(app.config['PERMANENT_SESSION_LIFETIME'].total_seconds())
-            cookie_value = request.cookies.get(app.config['SESSION_COOKIE_NAME']) or session.sid
+            session_token = secrets.token_urlsafe(32)  # Generate a new token
             response.set_cookie(
                 app.config['SESSION_COOKIE_NAME'],
-                cookie_value,
-                max_age=max_age,
+                session_token,
+                max_age=int(app.config['PERMANENT_SESSION_LIFETIME'].total_seconds()),
                 secure=app.config['SESSION_COOKIE_SECURE'],
                 httponly=app.config['SESSION_COOKIE_HTTPONLY'],
                 samesite='None',
@@ -622,6 +622,8 @@ def debug_info():
 @app.route('/headers')
 def show_headers():
     """Show all request headers - useful for debugging proxies"""
+    # Log headers to help diagnose issues with Zoraxy/Authelia
+    logger.info(f"Headers endpoint: All headers received: {dict(request.headers)}")
     return jsonify({
         'headers': dict(request.headers),
         'remote_addr': request.remote_addr,
@@ -659,6 +661,44 @@ def cookie_check():
         'all_cookies': {k: '***' for k in request.cookies.keys()}
     })
 
+# New endpoint to test Zoraxy auth configuration
+@app.route('/authelia-test')
+def authelia_test():
+    """Test if Authelia headers are correctly passed through Zoraxy"""
+    all_headers = dict(request.headers)
+    authelia_headers = {}
+    
+    # Check for common Authelia-related headers
+    auth_related_headers = [
+        'Remote-User', 'X-Remote-User', 'Remote-Groups', 'X-Remote-Groups',
+        'Remote-Name', 'X-Remote-Name', 'Remote-Email', 'X-Remote-Email',
+        'X-Authelia-URL', 'X-Original-URL', 'X-Forwarded-Proto'
+    ]
+    
+    for header in auth_related_headers:
+        if header.lower() in [h.lower() for h in all_headers.keys()]:
+            for actual_header in all_headers.keys():
+                if header.lower() == actual_header.lower():
+                    authelia_headers[actual_header] = all_headers[actual_header]
+    
+    # Check for auth cookies
+    auth_cookies = {}
+    for cookie_name in request.cookies:
+        if 'auth' in cookie_name.lower():
+            auth_cookies[cookie_name] = '***'  # Hide actual value
+    
+    return jsonify({
+        'request_host': request.host,
+        'authelia_user_detected': get_authelia_user() is not None,
+        'authelia_user': get_authelia_user(),
+        'authelia_headers': authelia_headers,
+        'auth_cookies': auth_cookies,
+        'all_headers_count': len(all_headers),
+        'zoraxy_detected': any('zoraxy' in h.lower() for h in all_headers.keys()) or 'X-Forwarded-Server' in all_headers,
+        'host_header': request.headers.get('Host'),
+        'referer': request.headers.get('Referer'),
+    })
+
 if __name__ == '__main__':
     # Parse command-line arguments
     parser = argparse.ArgumentParser(