From c3efa127d95f9e0938e5f7421892a309ac6174f6 Mon Sep 17 00:00:00 2001
From: Rune Olsen <rune@rune.pm>
Date: Thu, 22 Jan 2026 16:42:55 +0100
Subject: [PATCH] Changed app for proxy and https++

---
 app.py | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/app.py b/app.py
index 8f8b13b..4e14e5f 100644
--- a/app.py
+++ b/app.py
@@ -1,6 +1,7 @@
 from flask import Flask, render_template, request, jsonify, redirect, url_for, session
 from functools import wraps
 from werkzeug.middleware.proxy_fix import ProxyFix
+from datetime import timedelta
 import malias_wrapper as malias_w
 import os
 import argparse
@@ -23,12 +24,22 @@ app.wsgi_app = ProxyFix(
 malias_w.init_database()
 
 # Session configuration for reverse proxy
-# Allow session cookies to work properly behind HTTPS proxy
+# Critical: Session cookies must work through proxy (Authelia, Zoraxy, etc.)
 app.config.update(
-    SESSION_COOKIE_SECURE=False,      # Set to True if using HTTPS only
-    SESSION_COOKIE_HTTPONLY=True,     # Prevent JavaScript access to session cookie
-    SESSION_COOKIE_SAMESITE='Lax',    # CSRF protection
-    PREFERRED_URL_SCHEME='https'      # Generate HTTPS URLs when behind proxy
+    # Session cookie settings
+    SESSION_COOKIE_NAME='malias_session',      # Custom name to avoid conflicts
+    SESSION_COOKIE_SECURE=False,                # Must be False - backend connection is HTTP
+    SESSION_COOKIE_HTTPONLY=True,              # Security: prevent JavaScript access
+    SESSION_COOKIE_SAMESITE='Lax',             # Allow same-site requests (needed for redirects)
+    SESSION_COOKIE_PATH='/',                   # Available for entire application
+    
+    # Permanent session (survives browser restarts)
+    PERMANENT_SESSION_LIFETIME=86400,          # 24 hours in seconds
+    SESSION_REFRESH_EACH_REQUEST=True,         # Extend session on each request
+    
+    # URL generation
+    PREFERRED_URL_SCHEME='https',              # Generate HTTPS URLs when behind proxy
+    APPLICATION_ROOT='/',                       # Application root path
 )
 
 def login_required(f):
@@ -46,6 +57,7 @@ def login():
     if request.method == 'POST':
         password = request.json.get('password', '')
         if malias_w.verify_password(password):
+            session.permanent = True  # Make session persistent
             session['logged_in'] = True
             return jsonify({'status': 'success', 'message': 'Login successful'})
         else: