no cookie for just reading

system/admin/admin.php

@@ -53,6 +53,7 @@ function session($user, $pass)
 
     if ($user_enc == "password_hash") {
         if (password_verify($pass, $user_pass)) {
+            if (session_status() == PHP_SESSION_NONE) session_start();
             if (password_needs_rehash($user_pass, PASSWORD_DEFAULT)) {
                 update_user($user, $pass, $user_role);
             }
@@ -62,6 +63,7 @@ function session($user, $pass)
             return $str = '<div class="error-message"><ul><li class="alert alert-danger">ERROR: Invalid username or password.</li></li></div>';
         }
     } else if (old_password_verify($pass, $user_enc, $user_pass)) {
+        if (session_status() == PHP_SESSION_NONE) session_start();
         update_user($user, $pass, $user_role);
         $_SESSION[config("site.url")]['user'] = $user;
         header('location: admin');

system/htmly.php

@@ -2648,6 +2648,7 @@ get('/:static', function ($static) {
         }
         die;
     } elseif ($static === 'login') {
+        if (session_status() == PHP_SESSION_NONE) session_start();
         config('views.root', 'system/admin/views');
         render('login', array(
             'title' => 'Login - ' . blog_title(),

system/includes/session.php

@@ -1,9 +1,10 @@
 <?php
-
-session_start();
+if (isset($_COOKIE['PHPSESSID']))
+    session_start();
 
 function login()
 {
+    if (session_status() == PHP_SESSION_NONE) return false;
     if (isset($_SESSION[config("site.url")]['user']) && !empty($_SESSION[config("site.url")]['user'])) {
         return true;
     } else {