diff --git a/scripts/pi-hole/php/auth.php b/scripts/pi-hole/php/auth.php
index 2046261a..21a25c46 100644
--- a/scripts/pi-hole/php/auth.php
+++ b/scripts/pi-hole/php/auth.php
@@ -97,6 +97,11 @@ function check_csrf($token) {
         session_id() == "";
 
     if(!$session_started) {
+        // Start a new PHP session (or continue an existing one)
+        // Prevents javascript XSS attacks aimed to steal the session ID
+        ini_set('session.cookie_httponly', 1);
+        // Prevent Session ID from being passed through  URLs
+        ini_set('session.use_only_cookies', 1);
         session_start();
     }
 
diff --git a/scripts/pi-hole/php/password.php b/scripts/pi-hole/php/password.php
index b3da977a..5dd03dd8 100644
--- a/scripts/pi-hole/php/password.php
+++ b/scripts/pi-hole/php/password.php
@@ -9,6 +9,10 @@
     require_once('func.php');
 
     // Start a new PHP session (or continue an existing one)
+    // Prevents javascript XSS attacks aimed to steal the session ID
+    ini_set('session.cookie_httponly', 1);
+    // Prevent Session ID from being passed through  URLs
+    ini_set('session.use_only_cookies', 1);
     session_start();
 
     // Read setupVars.conf file
@@ -39,7 +43,7 @@
     // Test if password is set
     if(strlen($pwhash) > 0)
     {
-        // Check for and authorize from persistent cookie 
+        // Check for and authorize from persistent cookie
         if (isset($_COOKIE["persistentlogin"]))
         {
             if (hash_equals($pwhash, $_COOKIE["persistentlogin"]))