diff --git a/app.js b/app.js
index a44158b..4d8b7aa 100644
--- a/app.js
+++ b/app.js
@@ -29,17 +29,64 @@ db.exists(function(err, exists) {
 
 //begin setting up the dashboard app
 var app = express();
+app.use(express.cookieParser());
+app.use(express.session({
+	"secret": settings.general.sessionsecret
+}));
+
+//some logging for debugging
 app.use(function(req, res, next) {
 	console.log("%s %s", req.method, req.url);
+// 	console.log(["Session", req.session]);
+	next();
+});
+
+//initialize fresh session
+app.use(function(req, res, next) {
+	if(req.session.initialized != true) {
+		req.session.initialized = true;
+		req.session.login = false;
+	}
 	next();
 });
 
 //deliver static files by default
 app.use(express.static(__dirname + '/static'));
 
-//serve random fun stuff on /ohai ;-)
-app.use("/ohai", function(req, res) {
-	res.status(200).send("ohai!");
+//API: /session
+app.use("/session", function(req, res) {
+	res.setHeader("Content-Type", "application/json");
+
+	//refresh session
+	if(req.method == "GET") {
+		if(req.session.login == true) {
+			if(new Date() - req.session.lastActivity < 5 * 60 * 1000) {
+				req.session.lastActivity = new Date();
+			} else {
+				req.session.login = false;
+			}
+		res.send(200, JSON.stringify({
+			"login": req.session.login
+		}));
+	}
+
+	//check user credentials, update session data
+	if(req.method == "PUT") {
+		//TODO: implement proper login mechanism
+		req.session.login = true;
+		req.session.lastActivity = new Date();
+		res.send(200, JSON.stringify({
+			"login": req.session.login
+		}));
+	}
+
+	//destroy the session
+	if(req.method == "DELETE") {
+		req.session.login = false;
+		res.send(200, JSON.stringify({
+			"login": req.session.login
+		}));
+	}
 });
 
 //define 404 for everything else (ugly but i think it's useful)
diff --git a/settings.json.template b/settings.json.template
index 5476e96..9609265 100644
--- a/settings.json.template
+++ b/settings.json.template
@@ -6,7 +6,8 @@
 		"listen": {
 			"host": "localhost",
 			"port": 3000
-		}
+		},
+		"sessionsecret": "Ch4ngeTh1sT0Som3ThingRandom|;-)"
 	},
 	"https": {
 		"key": "snakeoil/privkey.pem",