auth update

config/session.php

@@ -1,10 +1,22 @@
 <?php
 if (session_status() === PHP_SESSION_NONE) {
     $isSecure = !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off';
+    $scriptName = $_SERVER['SCRIPT_NAME'] ?? '';
+    $basePath = '/';
+    if ($scriptName !== '') {
+        $basePath = preg_replace('#/api/.*$#', '', $scriptName);
+        if ($basePath === $scriptName) {
+            $basePath = dirname($scriptName);
+        }
+        $basePath = rtrim($basePath, '/');
+        if ($basePath === '') {
+            $basePath = '/';
+        }
+    }
     ini_set('session.use_strict_mode', '1');
     session_set_cookie_params([
         'lifetime' => 0,
-        'path' => '/',
+        'path' => $basePath,
         'domain' => '',
         'secure' => $isSecure,
         'httponly' => true,