diff --git a/apps/webapp/src/app/api/auth/login/route.ts b/apps/webapp/src/app/api/auth/login/route.ts
index 7564a44..9ef3d00 100644
--- a/apps/webapp/src/app/api/auth/login/route.ts
+++ b/apps/webapp/src/app/api/auth/login/route.ts
@@ -1,12 +1,12 @@
 import { NextRequest, NextResponse } from 'next/server';
-import crypto from 'node:crypto';
+import { createHmac } from 'crypto';
 
 const SECRET = process.env.SESSION_SECRET ?? 'dev-secret-change-in-production';
 const LOGIN_USER = process.env.LOGIN_USER ?? 'admin';
 const LOGIN_PASS = process.env.LOGIN_PASS ?? 'admin';
 
 function sign(value: string) {
-    return crypto.createHmac('sha256', SECRET).update(value).digest('hex');
+    return createHmac('sha256', SECRET).update(value).digest('hex');
 }
 
 export async function POST(req: NextRequest) {
diff --git a/apps/webapp/src/middleware.ts b/apps/webapp/src/middleware.ts
index 88a1a1a..68d7272 100644
--- a/apps/webapp/src/middleware.ts
+++ b/apps/webapp/src/middleware.ts
@@ -1,22 +1,28 @@
 import { NextRequest, NextResponse } from 'next/server';
-import crypto from 'node:crypto';
 
 const SECRET = process.env.SESSION_SECRET ?? 'dev-secret-change-in-production';
 
-function verifySession(token: string): boolean {
+async function verifySession(token: string): Promise<boolean> {
     const lastDot = token.lastIndexOf('.');
     if (lastDot === -1) return false;
     const payload = token.slice(0, lastDot);
-    const sig = token.slice(lastDot + 1);
-    const expected = crypto.createHmac('sha256', SECRET).update(payload).digest('hex');
-    return sig === expected;
+    const sigHex = token.slice(lastDot + 1);
+    try {
+        const key = await globalThis.crypto.subtle.importKey(
+            'raw', new TextEncoder().encode(SECRET),
+            { name: 'HMAC', hash: 'SHA-256' }, false, ['verify'],
+        );
+        const sigBytes = new Uint8Array((sigHex.match(/.{1,2}/g) ?? []).map(b => parseInt(b, 16)));
+        return await globalThis.crypto.subtle.verify('HMAC', key, sigBytes, new TextEncoder().encode(payload));
+    } catch { return false; }
 }
 
-export function middleware(req: NextRequest) {
+export async function middleware(req: NextRequest) {
     if (!req.nextUrl.pathname.startsWith('/dashboard')) return NextResponse.next();
     const session = req.cookies.get('session')?.value;
     const oidc = req.cookies.get('oidc_token')?.value;
-    if ((session && verifySession(session)) || oidc) return NextResponse.next();
+    if (oidc) return NextResponse.next();
+    if (session && await verifySession(session)) return NextResponse.next();
     return NextResponse.redirect(new URL('/login', req.url));
 }