diff --git a/interface/lib/app.inc.php b/interface/lib/app.inc.php
index 7af764f92b8b1855dd84a4f7a635907e250c40d1..f8b59317d02231cbccb9d4ea9ce6d4039f753265 100755
--- a/interface/lib/app.inc.php
+++ b/interface/lib/app.inc.php
@@ -68,20 +68,31 @@ class app {
 				$this->db = false;
 			}
 		}
+		$this->uses('functions'); // we need this before all others!
+		$this->uses('auth,plugin,ini_parser,getconf');
+		
+	}
 
+	public function __get($prop) {
+		if(property_exists($this, $prop)) return $this->{$prop};
+		
+		$this->uses($prop);
+		if(property_exists($this, $prop)) return $this->{$prop};
+		else return null;
+	}
+	
+	public function __destruct() {
+		session_write_close();
+	}
+	
+	public function initialize_session() {
 		//* Start the session
 		if($this->_conf['start_session'] == true) {
-
 			$this->uses('session');
 			$sess_timeout = $this->conf('interface', 'session_timeout');
-			$cookie_domain = (isset($_SERVER['SERVER_NAME']) ? $_SERVER['SERVER_NAME'] : $_SERVER['HTTP_HOST']);
-			
-			// Workaround for Nginx servers
-			if($cookie_domain == '_') {
-				$tmp = explode(':',$_SERVER["HTTP_HOST"]);
-				$cookie_domain = $tmp[0];
-				unset($tmp);
-			}
+			$cookie_domain = $this->get_cookie_domain();
+			$this->log("cookie_domain is ".$cookie_domain,0);
+			$cookie_domain = '';
 			$cookie_secure = ($_SERVER["HTTPS"] == 'on')?true:false;
 			if($sess_timeout) {
 				/* check if user wants to stay logged in */
@@ -122,23 +133,8 @@ class app {
 			if(empty($_SESSION['s']['language'])) $_SESSION['s']['language'] = $conf['language'];
 		}
 
-		$this->uses('functions'); // we need this before all others!
-		$this->uses('auth,plugin,ini_parser,getconf');
-		
-	}
-
-	public function __get($prop) {
-		if(property_exists($this, $prop)) return $this->{$prop};
-		
-		$this->uses($prop);
-		if(property_exists($this, $prop)) return $this->{$prop};
-		else return null;
 	}
 	
-	public function __destruct() {
-		session_write_close();
-	}
-
 	public function uses($classes) {
 		$cl = explode(',', $classes);
 		if(is_array($cl)) {
@@ -336,12 +332,51 @@ class app {
 		$this->tpl->setVar('globalsearch_noresults_limit_txt', $this->lng('globalsearch_noresults_limit_txt'));
 		$this->tpl->setVar('globalsearch_searchfield_watermark_txt', $this->lng('globalsearch_searchfield_watermark_txt'));
 	}
+	
+	private function get_cookie_domain() {
+		$proxy_panel_allowed = $this->getconf->get_security_config('permissions')['reverse_proxy_panel_allowed'];
+		if ($proxy_panel_allowed == 'all') {
+			return '';
+		}
+		/*
+		 * See ticket #5238: It should be ensured, that _SERVER_NAME is always set.
+		 * Otherwise the security improvement doesn't work with nginx. If this is done,
+		 * the check for HTTP_HOST and workaround for nginx is obsolete.
+		 */
+		$cookie_domain = (isset($_SERVER['SERVER_NAME']) ? $_SERVER['SERVER_NAME'] : $_SERVER['HTTP_HOST']);
+		// Workaround for Nginx servers
+		if($cookie_domain == '_') {
+			$tmp = explode(':',$_SERVER["HTTP_HOST"]);
+			$cookie_domain = $tmp[0];
+			unset($tmp);
+		}
+		if($proxy_panel_allowed == 'sites') {
+			$forwarded_host = (isset($_SERVER['HTTP_X_FORWARDED_HOST']) ? $_SERVER['HTTP_X_FORWARDED_HOST'] : null );
+			if($forwarded_host !== null && $forwarded_host !== $cookie_domain) {
+				// Just check for complete domain name and not auto subdomains
+				$sql = "SELECT domain_id from web_domain where domain = '$forwarded_host'";
+				$recs = $this->db->queryOneRecord($sql);
+				if($recs !== null) {
+					$cookie_domain = $forwarded_host;
+				}
+				unset($forwarded_host);
+			}
+		}
+		
+		return $cookie_domain;
+	}
 
 } // end class
 
 //** Initialize application (app) object
 //* possible future =  new app($conf);
 $app = new app();
+/* 
+   split session creation out of constructor is IMHO better.
+   otherwise we have some circular references to global $app like in
+   getconfig property of App - RA
+*/
+$app->initialize_session();
 
 // load and enable PHP Intrusion Detection System (PHPIDS)
 $ids_security_config = $app->getconf->get_security_config('ids');
diff --git a/security/security_settings.ini b/security/security_settings.ini
index 24f4e38d209d6875c43538a09afb3a744ee2aa43..c135652e17cf15aa650168c206b44ff3725b3345 100644
--- a/security/security_settings.ini
+++ b/security/security_settings.ini
@@ -17,6 +17,7 @@ admin_allow_software_repo=superadmin
 remote_api_allowed=yes
 password_reset_allowed=yes
 session_regenerate_id=yes
+reverse_proxy_panel_allowed=none
 
 [ids]
 ids_anon_enabled=yes
@@ -42,4 +43,5 @@ security_admin_email_subject=Security alert from server
 warn_new_admin=yes
 warn_passwd_change=no
 warn_shadow_change=no
-warn_group_change=no
\ No newline at end of file
+warn_group_change=no
+