diff --git a/src/server/gpodder/advanced/auth.rs b/src/server/gpodder/advanced/auth.rs
index 242082a..b0bccaf 100644
--- a/src/server/gpodder/advanced/auth.rs
+++ b/src/server/gpodder/advanced/auth.rs
@@ -10,10 +10,13 @@ use axum_extra::{
 };
 use cookie::time::Duration;
 
-use crate::server::{
-    error::{AppError, AppResult},
-    gpodder::SESSION_ID_COOKIE,
-    Context,
+use crate::{
+    gpodder,
+    server::{
+        error::{AppError, AppResult},
+        gpodder::SESSION_ID_COOKIE,
+        Context,
+    },
 };
 
 pub fn router() -> Router<Context> {
@@ -33,6 +36,31 @@ async fn post_login(
         return Err(AppError::BadRequest);
     }
 
+    // If a session token is present, we check if it's valid first and do nothing if it is
+    if let Some(session_id) = jar
+        .get(SESSION_ID_COOKIE)
+        .and_then(|c| c.value().parse::<i64>().ok())
+    {
+        let ctx = ctx.clone();
+        match tokio::task::spawn_blocking(move || {
+            let session = ctx.store.get_session(session_id)?;
+            ctx.store.refresh_session(&session)?;
+
+            Ok(session)
+        })
+        .await
+        .unwrap()
+        {
+            Ok(_) => {
+                return Ok(jar);
+            }
+            Err(gpodder::AuthErr::UnknownSession) => {}
+            Err(err) => {
+                return Err(AppError::from(err));
+            }
+        }
+    }
+
     let session = tokio::task::spawn_blocking(move || {
         let user = ctx
             .store
@@ -43,7 +71,12 @@ async fn post_login(
     .unwrap()?;
 
     Ok(jar.add(
-        Cookie::build((SESSION_ID_COOKIE, session.id.to_string())).max_age(Duration::days(365)),
+        Cookie::build((SESSION_ID_COOKIE, session.id.to_string()))
+            .secure(false)
+            .same_site(cookie::SameSite::Strict)
+            .http_only(true)
+            .path("/api")
+            .max_age(Duration::days(365)),
     ))
 }