diff --git a/middleware/AuthMiddleware.php b/middleware/AuthMiddleware.php
index ce345d1..0c77c4c 100644
--- a/middleware/AuthMiddleware.php
+++ b/middleware/AuthMiddleware.php
@@ -20,8 +20,14 @@ class AuthMiddleware {
      * @throws Exception if authentication fails
      */
     public function authenticate() {
-        // Start session if not already started
+        // Start session if not already started with secure settings
         if (session_status() === PHP_SESSION_NONE) {
+            // Configure secure session settings
+            ini_set('session.cookie_httponly', 1);
+            ini_set('session.cookie_secure', 1); // Requires HTTPS
+            ini_set('session.cookie_samesite', 'Strict');
+            ini_set('session.use_strict_mode', 1);
+
             session_start();
         }
 
@@ -66,10 +72,17 @@ class AuthMiddleware {
             throw new Exception("Failed to sync user from Authelia");
         }
 
+        // Regenerate session ID to prevent session fixation attacks
+        session_regenerate_id(true);
+
         // Store user in session
         $_SESSION['user'] = $user;
         $_SESSION['last_activity'] = time();
 
+        // Generate new CSRF token on login
+        require_once __DIR__ . '/CsrfMiddleware.php';
+        CsrfMiddleware::generateToken();
+
         return $user;
     }