diff --git a/README.md b/README.md
index 8bf5690..2f85d4a 100644
--- a/README.md
+++ b/README.md
@@ -46,6 +46,7 @@ Summary:
 2. Build client and publish `client/dist/` to your web root/subdirectory.
 3. Configure server `config.toml` and run it via `systemd`.
 4. Add Apache `/ws` websocket proxy from `deploy/apache/chgrid-vhost-snippet.conf`.
+   Include `/auth/session/*` proxy routes from the same snippet so login cookies can be set/cleared reliably.
 
 ## Key Paths
 
diff --git a/deploy/README.md b/deploy/README.md
index f074c05..e3d2d12 100644
--- a/deploy/README.md
+++ b/deploy/README.md
@@ -68,13 +68,23 @@ cd "$REPO_ROOT"
 ./deploy/scripts/install_apache.sh "$REPO_ROOT" /path/to/apache/include/chgrid.conf
 ```
 
-Expected proxy endpoint:
+Expected proxy endpoints:
 
 ```apache
 ProxyPass        /ws  ws://127.0.0.1:8765
 ProxyPassReverse /ws  ws://127.0.0.1:8765
+ProxyPass        /auth/session/  http://127.0.0.1:8765/auth/session/
+ProxyPassReverse /auth/session/  http://127.0.0.1:8765/auth/session/
 ```
 
+What each route does:
+- `/ws`: websocket signaling (presence, movement, item actions, chat, voice signaling).
+- `/auth/session/set`: called by client after successful login to set `HttpOnly` session cookie.
+- `/auth/session/clear`: called by client on logout/session-reset to clear `HttpOnly` session cookie.
+
+Important:
+- Keep `/auth/session/*` at domain root even when the app is served from a subpath like `/chgrid`.
+
 After Apache changes, reload Apache using your host's command.
 
 ## 7) Optional HTTP Stream Relay
diff --git a/deploy/apache/chgrid-vhost-snippet.conf b/deploy/apache/chgrid-vhost-snippet.conf
index 0b75f26..f60d359 100644
--- a/deploy/apache/chgrid-vhost-snippet.conf
+++ b/deploy/apache/chgrid-vhost-snippet.conf
@@ -4,8 +4,12 @@
 # Optional but recommended modules for client update freshness: headers, setenvif
 
 # Proxy websocket signaling endpoint to local Python service.
+# `/ws` is used by the browser signaling client for realtime packets.
 ProxyPass        /ws  ws://127.0.0.1:8765
 ProxyPassReverse /ws  ws://127.0.0.1:8765
+# Proxy auth cookie helper endpoints to local Python service.
+# These root-scoped paths are required even when the app is hosted under `/chgrid`.
+# The client calls `/auth/session/set` after login and `/auth/session/clear` on logout/session-reset.
 ProxyPass        /auth/session/  http://127.0.0.1:8765/auth/session/
 ProxyPassReverse /auth/session/  http://127.0.0.1:8765/auth/session/