PHP sessions were unreliable on this host — the web process could write
session files but LiteSpeed served cached login-page responses on the
redirect, bypassing PHP entirely.
Replace sessions with a self-contained signed cookie:
- On login: generate random 32-byte token + expiry, sign with HMAC-SHA256
- On each request: verify signature and expiry — no filesystem reads needed
- Cookie: Secure, HttpOnly, SameSite=Lax, path=/admin/, 24h expiry
- admin/.htaccess: CacheEnable off + no-store headers to prevent LiteSpeed
from caching admin responses
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>