diff --git a/confs/main-lua.conf b/confs/main-lua.conf
index da5e472..10b536b 100644
--- a/confs/main-lua.conf
+++ b/confs/main-lua.conf
@@ -1,3 +1,5 @@
+set $session_secret %ANTIBOT_SESSION_SECRET%;
+
 access_by_lua_block {
 
 local use_whitelist_ip		= %USE_WHITELIST_IP%
diff --git a/confs/server.conf b/confs/server.conf
index 0569bfb..61012a6 100644
--- a/confs/server.conf
+++ b/confs/server.conf
@@ -1,5 +1,6 @@
 server {
 	include /server-confs/*.conf;
+	set $session_secret %ANTIBOT_SESSION_SECRET%;
 	include /etc/nginx/main-lua.conf;
 	%LISTEN_HTTP%
 	%USE_HTTPS%
diff --git a/entrypoint.sh b/entrypoint.sh
index 41afc6c..70726c3 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -156,6 +156,7 @@ SELF_SIGNED_SSL_CN="${SELF_SIGNED_SSL_CN-bunkerity-nginx}"
 ANTIBOT_URI="${ANTIBOT_URI-/challenge}"
 USE_ANTIBOT="${USE_ANTIBOT-cookie}"
 ANTIBOT_RECAPTCHA_SCORE="${ANTIBOT_RECAPTCHA_SCORE-0.7}"
+ANTIBOT_SESSION_SECRET="${ANTIBOT_SESSION_SECRET-random}"
 
 # install additional modules if needed
 if [ "$ADDITIONAL_MODULES" != "" ] ; then
@@ -497,8 +498,12 @@ fi
 list=$(spaces_to_lua "$DNSBL_LIST")
 replace_in_file "/usr/local/lib/lua/dnsbl.lua" "%DNSBL_LIST%" "$list"
 
-# antibot uri
+# antibot uri and session secret
 replace_in_file "/etc/nginx/main-lua.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
+if [ "$ANTIBOT_SESSION_SECRET" = "random" ] ; then
+	ANTIBOT_SESSION_SECRET=$(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 32)
+fi
+replace_in_file "/etc/nginx/main-lua.conf" "%ANTIBOT_SESSION_SECRET%" "$ANTIBOT_SESSION_SECRET"
 
 # antibot via cookie
 if [ "$USE_ANTIBOT" = "cookie" ] ; then
diff --git a/lua/cookie.lua b/lua/cookie.lua
index 5d69f5d..91fc68f 100644
--- a/lua/cookie.lua
+++ b/lua/cookie.lua
@@ -3,11 +3,10 @@ local M         = {}
 local session   = require "resty.session"
 
 function M.session ()
-	local s = session:open()
-	if not s.started then
-		s:start()
+	if not ngx.ctx.session then
+		ngx.ctx.session = session:start()
 	end
-	return s
+	return ngx.ctx.session
 end
 
 function M.is_set (key)