diff --git a/remote_backend/Cargo.lock b/remote_backend/Cargo.lock
index 30a79ef..01fcf6b 100644
--- a/remote_backend/Cargo.lock
+++ b/remote_backend/Cargo.lock
@@ -1693,6 +1693,7 @@ version = "0.1.0"
 dependencies = [
  "actix-identity",
  "actix-remote-ip",
+ "actix-session",
  "actix-web",
  "anyhow",
  "basic-jwt",
diff --git a/remote_backend/Cargo.toml b/remote_backend/Cargo.toml
index 7903df4..6c19633 100644
--- a/remote_backend/Cargo.toml
+++ b/remote_backend/Cargo.toml
@@ -14,6 +14,7 @@ light-openid = { version = "1.0.2", features = ["crypto-wrapper"] }
 basic-jwt = "0.2.0"
 actix-web = "4.5.1"
 actix-remote-ip = "0.1.0"
+actix-session = { version = "0.9.0", features = ["cookie-session"] }
 actix-identity = "0.7.1"
 lazy_static = "1.4.0"
 anyhow = "1.0.82"
diff --git a/remote_backend/src/constants.rs b/remote_backend/src/constants.rs
index 2ca4b8c..ae86229 100644
--- a/remote_backend/src/constants.rs
+++ b/remote_backend/src/constants.rs
@@ -1,3 +1,13 @@
+/// Name of the cookie that contains session information
+pub const SESSION_COOKIE_NAME: &str = "X-auth-token";
+
+/// Maximum session duration after inactivity, in seconds
+pub const MAX_INACTIVITY_DURATION: u64 = 60 * 30;
+
+/// Maximum session duration (6 hours)
+pub const MAX_SESSION_DURATION: u64 = 3600 * 6;
+
+/// The routes that can be accessed without authentication
 pub const ROUTES_WITHOUT_AUTH: [&str; 3] = [
     "/api/server/config",
     "/api/auth/start_oidc",
diff --git a/remote_backend/src/main.rs b/remote_backend/src/main.rs
index 7c45a6d..893974c 100644
--- a/remote_backend/src/main.rs
+++ b/remote_backend/src/main.rs
@@ -1,11 +1,18 @@
+use actix_identity::config::LogoutBehaviour;
+use actix_identity::IdentityMiddleware;
 use actix_remote_ip::RemoteIPConfig;
+use actix_session::storage::CookieSessionStore;
+use actix_session::SessionMiddleware;
+use actix_web::cookie::{Key, SameSite};
 use actix_web::middleware::Logger;
 use actix_web::web::Data;
 use actix_web::{web, App, HttpServer};
 use light_openid::basic_state_manager::BasicStateManager;
 use remote_backend::app_config::AppConfig;
 use remote_backend::controllers::auth_controller;
-use remote_backend::virtweb_client;
+use remote_backend::middlewares::auth_middleware::AuthChecker;
+use remote_backend::{constants, virtweb_client};
+use std::time::Duration;
 
 #[actix_web::main]
 async fn main() -> std::io::Result<()> {
@@ -16,8 +23,30 @@ async fn main() -> std::io::Result<()> {
     println!("{:#?}", virtweb_client::get_token_rights().await.unwrap());
 
     HttpServer::new(move || {
+        let session_mw = SessionMiddleware::builder(
+            CookieSessionStore::default(),
+            Key::from(AppConfig::get().secret().as_bytes()),
+        )
+        .cookie_name(constants::SESSION_COOKIE_NAME.to_string())
+        .cookie_secure(AppConfig::get().cookie_secure)
+        .cookie_same_site(SameSite::Strict)
+        .cookie_domain(AppConfig::get().cookie_domain())
+        .cookie_http_only(true)
+        .build();
+
+        let identity_middleware = IdentityMiddleware::builder()
+            .logout_behaviour(LogoutBehaviour::PurgeSession)
+            .visit_deadline(Some(Duration::from_secs(
+                constants::MAX_INACTIVITY_DURATION,
+            )))
+            .login_deadline(Some(Duration::from_secs(constants::MAX_SESSION_DURATION)))
+            .build();
+
         App::new()
             .wrap(Logger::default())
+            .wrap(AuthChecker)
+            .wrap(identity_middleware)
+            .wrap(session_mw)
             .app_data(state_manager.clone())
             .app_data(Data::new(RemoteIPConfig {
                 proxy: AppConfig::get().proxy_ip.clone(),