diff --git a/api/login.php b/api/login.php
index e8aeb1b..f7db807 100644
--- a/api/login.php
+++ b/api/login.php
@@ -21,13 +21,31 @@ if (!is_array($data)) {
 
 $login = trim($data['username'] ?? '');
 $password = $data['password'] ?? '';
+$siteAlias = trim($data['site_alias'] ?? '');
+
+if ($siteAlias === '') {
+    http_response_code(400);
+    echo json_encode(['success' => false, 'message' => 'Не указан сайт']);
+    exit;
+}
 
 // Поиск пользователя по username
-$stmt = $pdo->prepare("SELECT * FROM users WHERE username = ?");
+$stmt = $pdo->prepare("SELECT id, username, password_hash, ok5, o7, o10m, o10a, webp FROM users WHERE username = ?");
 $stmt->execute([$login]);
 $user = $stmt->fetch(PDO::FETCH_ASSOC);
 
 if ($user && password_verify($password, $user['password_hash'])) {
+    $allowedAliases = ['ok5', 'o7', 'o10m', 'o10a', 'webp'];
+    if (!in_array($siteAlias, $allowedAliases, true)) {
+        echo json_encode(['success' => false, 'message' => 'Неизвестный сайт']);
+        exit;
+    }
+
+    if ((int)$user[$siteAlias] !== 1) {
+        echo json_encode(['success' => false, 'message' => 'Нет доступа к сайту']);
+        exit;
+    }
+
     // Успешная авторизация
     session_regenerate_id(true);
     $_SESSION['user_id'] = $user['id'];
diff --git a/config/session.php b/config/session.php
index b5adffd..5143e8a 100644
--- a/config/session.php
+++ b/config/session.php
@@ -1,10 +1,22 @@
 <?php
 if (session_status() === PHP_SESSION_NONE) {
     $isSecure = !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off';
+    $scriptName = $_SERVER['SCRIPT_NAME'] ?? '';
+    $basePath = '/';
+    if ($scriptName !== '') {
+        $basePath = preg_replace('#/api/.*$#', '', $scriptName);
+        if ($basePath === $scriptName) {
+            $basePath = dirname($scriptName);
+        }
+        $basePath = rtrim($basePath, '/');
+        if ($basePath === '') {
+            $basePath = '/';
+        }
+    }
     ini_set('session.use_strict_mode', '1');
     session_set_cookie_params([
         'lifetime' => 0,
-        'path' => '/',
+        'path' => $basePath,
         'domain' => '',
         'secure' => $isSecure,
         'httponly' => true,
diff --git a/js/auth.js b/js/auth.js
index 1e5bb65..6a3d5cb 100644
--- a/js/auth.js
+++ b/js/auth.js
@@ -45,6 +45,16 @@ if (document.getElementById('loginForm')) {
         
         const formData = new FormData(this);
         const data = Object.fromEntries(formData);
+        if (!data.site_alias) {
+            const metaAlias = document.querySelector('meta[name="site-alias"]');
+            if (metaAlias && metaAlias.content) {
+                data.site_alias = metaAlias.content.trim();
+            } else {
+                const path = window.location.pathname.replace(/\/+$/, '');
+                const parts = path.split('/').filter(Boolean);
+                data.site_alias = parts[0] || 'root';
+            }
+        }
         
         const result = await sendRequest('api/login.php', data);