diff --git a/db/auth.go b/db/auth.go
index f8ab148..64533dd 100644
--- a/db/auth.go
+++ b/db/auth.go
@@ -45,13 +45,15 @@ type Session struct {
 	Id        string
 	UserId    uuid.UUID
 	CreatedAt time.Time
+	ExpiresAt time.Time
 }
 
-func NewSession(id string, userId uuid.UUID, createdAt time.Time) *Session {
+func NewSession(id string, userId uuid.UUID, createdAt time.Time, expiresAt time.Time) *Session {
 	return &Session{
 		Id:        id,
 		UserId:    userId,
 		CreatedAt: createdAt,
+		ExpiresAt: expiresAt,
 	}
 }
 
@@ -106,7 +108,7 @@ func NewAuthSqlite(db *sql.DB) *AuthSqlite {
 
 func (db AuthSqlite) InsertUser(user *User) error {
 	_, err := db.db.Exec(`
-		INSERT INTO user (user_uuid, email, email_verified, email_verified_at, is_admin, password, salt, created_at) 
+		INSERT INTO user (user_id, email, email_verified, email_verified_at, is_admin, password, salt, created_at) 
 		VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
 		user.Id, user.Email, user.EmailVerified, user.EmailVerifiedAt, user.IsAdmin, user.Password, user.Salt, user.CreateAt)
 
@@ -126,7 +128,7 @@ func (db AuthSqlite) UpdateUser(user *User) error {
 	_, err := db.db.Exec(`
 		UPDATE user 
 		SET email_verified = ?, email_verified_at = ?, password = ?
-		WHERE user_uuid = ?`,
+		WHERE user_id = ?`,
 		user.EmailVerified, user.EmailVerifiedAt, user.Password, user.Id)
 
 	if err != nil {
@@ -149,7 +151,7 @@ func (db AuthSqlite) GetUserByEmail(email string) (*User, error) {
 	)
 
 	err := db.db.QueryRow(`
-		SELECT user_uuid, email_verified, email_verified_at, password, salt, created_at
+		SELECT user_id, email_verified, email_verified_at, password, salt, created_at
 		FROM user 
 		WHERE email = ?`, email).Scan(&userId, &emailVerified, &emailVerifiedAt, &password, &salt, &createdAt)
 	if err != nil {
@@ -178,7 +180,7 @@ func (db AuthSqlite) GetUser(userId uuid.UUID) (*User, error) {
 	err := db.db.QueryRow(`
 		SELECT email, email_verified, email_verified_at, password, salt, created_at
 		FROM user 
-		WHERE user_uuid = ?`, userId).Scan(&email, &emailVerified, &emailVerifiedAt, &password, &salt, &createdAt)
+		WHERE user_id = ?`, userId).Scan(&email, &emailVerified, &emailVerifiedAt, &password, &salt, &createdAt)
 	if err != nil {
 		if err == sql.ErrNoRows {
 			return nil, ErrNotFound
@@ -206,21 +208,21 @@ func (db AuthSqlite) DeleteUser(userId uuid.UUID) error {
 		return types.ErrInternal
 	}
 
-	_, err = tx.Exec("DELETE FROM user_token WHERE user_uuid = ?", userId)
+	_, err = tx.Exec("DELETE FROM user_token WHERE user_id = ?", userId)
 	if err != nil {
 		_ = tx.Rollback()
 		log.Error("Could not delete user tokens: %v", err)
 		return types.ErrInternal
 	}
 
-	_, err = tx.Exec("DELETE FROM session WHERE user_uuid = ?", userId)
+	_, err = tx.Exec("DELETE FROM session WHERE user_id = ?", userId)
 	if err != nil {
 		_ = tx.Rollback()
 		log.Error("Could not delete sessions: %v", err)
 		return types.ErrInternal
 	}
 
-	_, err = tx.Exec("DELETE FROM user WHERE user_uuid = ?", userId)
+	_, err = tx.Exec("DELETE FROM user WHERE user_id = ?", userId)
 	if err != nil {
 		_ = tx.Rollback()
 		log.Error("Could not delete user: %v", err)
@@ -238,7 +240,7 @@ func (db AuthSqlite) DeleteUser(userId uuid.UUID) error {
 
 func (db AuthSqlite) InsertToken(token *Token) error {
 	_, err := db.db.Exec(`
-		INSERT INTO user_token (user_uuid, type, token, created_at, expires_at)
+		INSERT INTO user_token (user_id, type, token, created_at, expires_at)
 		VALUES (?, ?, ?, ?, ?)`, token.UserId, token.Type, token.Token, token.CreatedAt, token.ExpiresAt)
 
 	if err != nil {
@@ -260,7 +262,7 @@ func (db AuthSqlite) GetToken(token string) (*Token, error) {
 	)
 
 	err := db.db.QueryRow(`
-		SELECT user_uuid, type, created_at, expires_at 
+		SELECT user_id, type, created_at, expires_at 
 		FROM user_token 
 		WHERE token = ? 
 		AND type = 'email_verify'`, token).Scan(&userId, &tokenType, &createdAtStr, &expiresAtStr)
@@ -295,7 +297,7 @@ func (db AuthSqlite) GetTokensByUserIdAndType(userId uuid.UUID, tokenType string
 	query, err := db.db.Query(`
 		SELECT token, created_at, expires_at 
 		FROM user_token 
-		WHERE user_uuid = ?
+		WHERE user_id = ?
 		AND type = ?`, userId, tokenType)
 
 	if err != nil {
@@ -350,7 +352,7 @@ func (db AuthSqlite) DeleteToken(token string) error {
 func (db AuthSqlite) InsertSession(session *Session) error {
 
 	_, err := db.db.Exec(`
-		INSERT INTO session (session_id, user_uuid, created_at) 
+		INSERT INTO session (session_id, user_id, created_at) 
 		VALUES (?, ?, ?)`, session.Id, session.UserId, session.CreatedAt)
 
 	if err != nil {
@@ -364,26 +366,26 @@ func (db AuthSqlite) InsertSession(session *Session) error {
 func (db AuthSqlite) GetSession(sessionId string) (*Session, error) {
 
 	var (
-		userId           uuid.UUID
-		sessionCreatedAt time.Time
+		userId    uuid.UUID
+		createdAt time.Time
+		expiresAt time.Time
 	)
 
 	err := db.db.QueryRow(`
-			SELECT u.user_uuid, s.created_at
-			FROM session s
-			INNER JOIN user u ON s.user_uuid = u.user_uuid
-			WHERE session_id = ?`, sessionId).Scan(&userId, &sessionCreatedAt)
+			SELECT user_id, created_at, expires_at
+			FROM session 
+			WHERE session_id = ?`, sessionId).Scan(&userId, &createdAt, &expiresAt)
 
 	if err != nil {
 		return nil, ErrNotFound
 	}
 
-	return NewSession(sessionId, userId, sessionCreatedAt), nil
+	return NewSession(sessionId, userId, createdAt, expiresAt), nil
 }
 
 func (db AuthSqlite) DeleteOldSessions(userId uuid.UUID) error {
 	// Delete old inactive sessions
-	_, err := db.db.Exec("DELETE FROM session WHERE created_at < datetime('now','-8 hours') AND user_uuid = ?", userId)
+	_, err := db.db.Exec("DELETE FROM session WHERE created_at < datetime('now','-8 hours') AND user_id = ?", userId)
 	if err != nil {
 		log.Error("Could not delete old sessions: %v", err)
 		return types.ErrInternal
diff --git a/db/auth_test.go b/db/auth_test.go
index 51fc311..810712b 100644
--- a/db/auth_test.go
+++ b/db/auth_test.go
@@ -2,6 +2,7 @@ package db
 
 import (
 	"database/sql"
+	"me-fit/types"
 	"testing"
 	"time"
 
@@ -29,17 +30,7 @@ func setupDb(t *testing.T) *sql.DB {
 func TestUser(t *testing.T) {
 	t.Parallel()
 
-	t.Run("should return UserNotFound", func(t *testing.T) {
-		t.Parallel()
-		db := setupDb(t)
-
-		underTest := AuthSqlite{db: db}
-
-		_, err := underTest.GetUserByEmail("someNonExistentEmail")
-		assert.Equal(t, ErrNotFound, err)
-	})
-
-	t.Run("should insert and get user", func(t *testing.T) {
+	t.Run("should insert and get the same", func(t *testing.T) {
 		t.Parallel()
 		db := setupDb(t)
 
@@ -52,13 +43,24 @@ func TestUser(t *testing.T) {
 		err := underTest.InsertUser(expected)
 		assert.Nil(t, err)
 
-		actual, err := underTest.GetUserByEmail(expected.Email)
+		actual, err := underTest.GetUser(expected.Id)
 		assert.Nil(t, err)
+		assert.Equal(t, expected, actual)
 
+		actual, err = underTest.GetUserByEmail(expected.Email)
+		assert.Nil(t, err)
 		assert.Equal(t, expected, actual)
 	})
+	t.Run("should return UserNotFound", func(t *testing.T) {
+		t.Parallel()
+		db := setupDb(t)
 
-	t.Run("should throw error if user already exists", func(t *testing.T) {
+		underTest := AuthSqlite{db: db}
+
+		_, err := underTest.GetUserByEmail("nonExistentEmail")
+		assert.Equal(t, ErrNotFound, err)
+	})
+	t.Run("should return ErrUserExist", func(t *testing.T) {
 		t.Parallel()
 		db := setupDb(t)
 
@@ -74,6 +76,18 @@ func TestUser(t *testing.T) {
 		err = underTest.InsertUser(user)
 		assert.Equal(t, ErrUserExists, err)
 	})
+	t.Run("should return ErrInternal on missing NOT NULL fields", func(t *testing.T) {
+		t.Parallel()
+		db := setupDb(t)
+
+		underTest := AuthSqlite{db: db}
+
+		createAt := time.Date(2020, 1, 5, 12, 0, 0, 0, time.UTC)
+		user := NewUser(uuid.New(), "some@email.de", false, nil, false, []byte("somePass"), nil, createAt)
+
+		err := underTest.InsertUser(user)
+		assert.Equal(t, types.ErrInternal, err)
+	})
 }
 
 func TestEmailVerification(t *testing.T) {
diff --git a/handler/auth.go b/handler/auth.go
index b2e84bf..1fdfaa6 100644
--- a/handler/auth.go
+++ b/handler/auth.go
@@ -1,6 +1,7 @@
 package handler
 
 import (
+	"me-fit/handler/middleware"
 	"me-fit/log"
 	"me-fit/service"
 	"me-fit/template/auth"
@@ -58,9 +59,9 @@ var (
 
 func (handler AuthImpl) handleSignInPage() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		user, _ := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
-		if user != nil {
-			if !user.EmailVerified {
+		session := r.Context().Value(middleware.SessionKey).(*service.Session)
+		if session != nil {
+			if !session.User.EmailVerified {
 				utils.DoRedirect(w, r, "/auth/verify")
 			} else {
 				utils.DoRedirect(w, r, "/")
@@ -121,10 +122,10 @@ func (handler AuthImpl) handleSignIn() http.HandlerFunc {
 
 func (handler AuthImpl) handleSignUpPage() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		user, _ := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
+		session := r.Context().Value(middleware.SessionKey).(*service.Session)
 
-		if user != nil {
-			if !user.EmailVerified {
+		if session != nil {
+			if !session.User.EmailVerified {
 				utils.DoRedirect(w, r, "/auth/verify")
 			} else {
 				utils.DoRedirect(w, r, "/")
@@ -139,33 +140,34 @@ func (handler AuthImpl) handleSignUpPage() http.HandlerFunc {
 
 func (handler AuthImpl) handleSignUpVerifyPage() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		user, _ := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
-		if user == nil {
+		session := r.Context().Value(middleware.SessionKey).(*service.Session)
+		if session == nil {
 			utils.DoRedirect(w, r, "/auth/signin")
 			return
 		}
 
-		if user.EmailVerified {
+		if session.User.EmailVerified {
 			utils.DoRedirect(w, r, "/")
 			return
 		}
 
 		signIn := auth.VerifyComp()
-		handler.render.RenderLayout(r, w, signIn, user)
+		handler.render.RenderLayout(r, w, signIn, session.User)
 	}
 }
 
 func (handler AuthImpl) handleVerifyResendComp() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		user, err := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
-		if err != nil {
+		session := r.Context().Value(middleware.SessionKey).(*service.Session)
+		if session == nil {
 			utils.DoRedirect(w, r, "/auth/signin")
 			return
 		}
 
+		user := session.User
 		go handler.service.SendVerificationMail(user.Id, user.Email)
 
-		_, err = w.Write([]byte("<p class=\"mt-8\">Verification email sent</p>"))
+		_, err := w.Write([]byte("<p class=\"mt-8\">Verification email sent</p>"))
 		if err != nil {
 			log.Error("Could not write response: %v", err)
 		}
@@ -219,11 +221,14 @@ func (handler AuthImpl) handleSignUp() http.HandlerFunc {
 
 func (handler AuthImpl) handleSignOut() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		err := handler.service.SignOut(utils.GetSessionID(r))
-		if err != nil {
-			utils.TriggerToast(w, r, "error", "Internal Server Error")
-			http.Error(w, err.Error(), http.StatusInternalServerError)
-			return
+		session := r.Context().Value(middleware.SessionKey).(*service.Session)
+
+		if session != nil {
+			err := handler.service.SignOut(session.Id)
+			if err != nil {
+				http.Error(w, "An error occurred", http.StatusInternalServerError)
+				return
+			}
 		}
 
 		c := http.Cookie{
@@ -243,34 +248,33 @@ func (handler AuthImpl) handleSignOut() http.HandlerFunc {
 
 func (handler AuthImpl) handleDeleteAccountPage() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		// An unverified email should be able to delete their account
-		user, err := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
-		if err != nil {
+		session := r.Context().Value(middleware.SessionKey).(*service.Session)
+		if session == nil {
 			utils.DoRedirect(w, r, "/auth/signin")
 		}
 
 		comp := auth.DeleteAccountComp()
-		handler.render.RenderLayout(r, w, comp, user)
+		handler.render.RenderLayout(r, w, comp, session.User)
 	}
 }
 
 func (handler AuthImpl) handleDeleteAccountComp() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		user, err := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
-		if err != nil {
+		session := r.Context().Value(middleware.SessionKey).(*service.Session)
+		if session == nil {
 			utils.DoRedirect(w, r, "/auth/signin")
 			return
 		}
 
 		password := r.FormValue("password")
 
-		_, err = handler.service.SignIn(user.Email, password)
+		_, err := handler.service.SignIn(session.User.Email, password)
 		if err != nil {
 			utils.TriggerToast(w, r, "error", "Password not correct")
 			return
 		}
 
-		err = handler.service.DeleteAccount(user)
+		err = handler.service.DeleteAccount(session.User)
 		if err != nil {
 			utils.TriggerToast(w, r, "error", "Internal Server Error")
 			return
@@ -285,23 +289,23 @@ func (handler AuthImpl) handleChangePasswordPage() http.HandlerFunc {
 
 		isPasswordReset := r.URL.Query().Has("token")
 
-		user, _ := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
+		session := r.Context().Value(middleware.SessionKey).(*service.Session)
 
-		if user == nil && !isPasswordReset {
+		if session == nil && !isPasswordReset {
 			utils.DoRedirect(w, r, "/auth/signin")
 			return
 		}
 
 		comp := auth.ChangePasswordComp(isPasswordReset)
-		handler.render.RenderLayout(r, w, comp, user)
+		handler.render.RenderLayout(r, w, comp, session.User)
 	}
 }
 
 func (handler AuthImpl) handleChangePasswordComp() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 
-		user, err := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
-		if err != nil {
+		session := r.Context().Value(middleware.SessionKey).(*service.Session)
+		if session == nil {
 			utils.DoRedirect(w, r, "/auth/signin")
 			return
 		}
@@ -309,7 +313,7 @@ func (handler AuthImpl) handleChangePasswordComp() http.HandlerFunc {
 		currPass := r.FormValue("current-password")
 		newPass := r.FormValue("new-password")
 
-		err = handler.service.ChangePassword(user, currPass, newPass)
+		err := handler.service.ChangePassword(session.User, currPass, newPass)
 		if err != nil {
 			utils.TriggerToast(w, r, "error", "Password not correct")
 			return
@@ -322,14 +326,14 @@ func (handler AuthImpl) handleChangePasswordComp() http.HandlerFunc {
 func (handler AuthImpl) handleResetPasswordPage() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 
-		user, err := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
-		if err != nil {
+		session := r.Context().Value(middleware.SessionKey).(*service.Session)
+		if session == nil {
 			utils.DoRedirect(w, r, "/auth/signin")
 			return
 		}
 
 		comp := auth.ResetPasswordComp()
-		handler.render.RenderLayout(r, w, comp, user)
+		handler.render.RenderLayout(r, w, comp, session.User)
 	}
 }
 
diff --git a/handler/index_and_404.go b/handler/index_and_404.go
index d69e560..68f3a30 100644
--- a/handler/index_and_404.go
+++ b/handler/index_and_404.go
@@ -1,9 +1,9 @@
 package handler
 
 import (
+	"me-fit/handler/middleware"
 	"me-fit/service"
 	"me-fit/template"
-	"me-fit/utils"
 
 	"net/http"
 
@@ -32,7 +32,11 @@ func (handler IndexImpl) Handle(router *http.ServeMux) {
 
 func (handler IndexImpl) handleIndexAnd404() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		user, _ := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
+		session := r.Context().Value(middleware.SessionKey).(*service.Session)
+		var user *service.User
+		if session != nil {
+			user = session.User
+		}
 
 		var comp templ.Component
 
diff --git a/handler/middleware/authenticate.go b/handler/middleware/authenticate.go
new file mode 100644
index 0000000..3e23fc8
--- /dev/null
+++ b/handler/middleware/authenticate.go
@@ -0,0 +1,38 @@
+package middleware
+
+import (
+	"context"
+	"me-fit/service"
+
+	"net/http"
+)
+
+type ContextKey string
+
+var SessionKey ContextKey = "session"
+
+func Authenticate(service service.Auth) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			sessionId := getSessionID(r)
+			session, _ := service.SignInSession(sessionId)
+
+			if session != nil {
+				ctx := context.WithValue(r.Context(), SessionKey, session)
+
+				next.ServeHTTP(w, r.WithContext(ctx))
+			} else {
+				next.ServeHTTP(w, r)
+			}
+		})
+	}
+}
+
+func getSessionID(r *http.Request) string {
+	cookie, err := r.Cookie("id")
+	if err != nil {
+		return ""
+	}
+
+	return cookie.Name
+}
diff --git a/handler/middleware/cross_site_request_forgery.go b/handler/middleware/cross_site_request_forgery.go
index cc695a8..3eb9d41 100644
--- a/handler/middleware/cross_site_request_forgery.go
+++ b/handler/middleware/cross_site_request_forgery.go
@@ -1,16 +1,20 @@
 package middleware
 
-import "net/http"
+import (
+	"me-fit/service"
+	"net/http"
+)
 
-func CrossSiteRequestForgery() func(http.Handler) http.Handler {
+func CrossSiteRequestForgery(auth *service.Auth) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+
+			// session := r.Context().Value(SessionKey)
+
 			if r.Method == "POST" {
-				// Check the CSRF token
-				csrfToken := r.Header.Get("X-CSRF-Token")
-				sessionToken := r.Header.Get("X-Session-Token")
-				if csrfToken != sessionToken {
-					http.Error(w, "CSRF token mismatch", http.StatusForbidden)
+				csrfToken := r.FormValue("csrf-token")
+				if csrfToken == "" {
+					http.Error(w, "", http.StatusForbidden)
 					return
 				}
 			}
diff --git a/handler/middleware/user.go b/handler/middleware/user.go
deleted file mode 100644
index edd720d..0000000
--- a/handler/middleware/user.go
+++ /dev/null
@@ -1,22 +0,0 @@
-package middleware
-
-import (
-	"me-fit/service"
-
-	"net/http"
-)
-
-func UserAuth(service *service.AuthService) func(http.Handler) http.Handler {
-	return func(next http.Handler) http.Handler {
-		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			// Check the user is logged in
-			sessionToken := r.Header.Get("X-Session-Token")
-			if sessionToken == "" {
-				http.Error(w, "Unauthorized", http.StatusUnauthorized)
-				return
-			}
-
-			next.ServeHTTP(w, r)
-		})
-	}
-}
diff --git a/handler/workout.go b/handler/workout.go
index 9ee78c0..74e1497 100644
--- a/handler/workout.go
+++ b/handler/workout.go
@@ -1,6 +1,7 @@
 package handler
 
 import (
+	"me-fit/handler/middleware"
 	"me-fit/log"
 	"me-fit/service"
 	"me-fit/template/workout"
@@ -38,22 +39,22 @@ func (handler WorkoutImpl) Handle(router *http.ServeMux) {
 
 func (handler WorkoutImpl) handleWorkoutPage() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		user, err := handler.auth.GetUserFromSessionId(utils.GetSessionID(r))
-		if err != nil {
+		session := r.Context().Value(middleware.SessionKey).(*service.Session)
+		if session == nil {
 			utils.DoRedirect(w, r, "/auth/signin")
 			return
 		}
 
 		currentDate := time.Now().Format("2006-01-02")
 		comp := workout.WorkoutComp(currentDate)
-		handler.render.RenderLayout(r, w, comp, user)
+		handler.render.RenderLayout(r, w, comp, session.User)
 	}
 }
 
 func (handler WorkoutImpl) handleAddWorkout() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		user, err := handler.auth.GetUserFromSessionId(utils.GetSessionID(r))
-		if err != nil {
+		session := r.Context().Value(middleware.SessionKey).(*service.Session)
+		if session == nil {
 			utils.DoRedirect(w, r, "/auth/signin")
 			return
 		}
@@ -64,7 +65,7 @@ func (handler WorkoutImpl) handleAddWorkout() http.HandlerFunc {
 		var repsStr = r.FormValue("reps")
 
 		wo := service.NewWorkoutDto("", dateStr, typeStr, setsStr, repsStr)
-		wo, err = handler.service.AddWorkout(user, wo)
+		wo, err := handler.service.AddWorkout(session.User, wo)
 		if err != nil {
 			utils.TriggerToast(w, r, "error", "Invalid input values")
 			http.Error(w, "Invalid input values", http.StatusBadRequest)
@@ -79,13 +80,13 @@ func (handler WorkoutImpl) handleAddWorkout() http.HandlerFunc {
 
 func (handler WorkoutImpl) handleGetWorkout() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		user, err := handler.auth.GetUserFromSessionId(utils.GetSessionID(r))
-		if err != nil {
+		session := r.Context().Value(middleware.SessionKey).(*service.Session)
+		if session == nil {
 			utils.DoRedirect(w, r, "/auth/signin")
 			return
 		}
 
-		workouts, err := handler.service.GetWorkouts(user)
+		workouts, err := handler.service.GetWorkouts(session.User)
 		if err != nil {
 			return
 		}
@@ -102,8 +103,8 @@ func (handler WorkoutImpl) handleGetWorkout() http.HandlerFunc {
 
 func (handler WorkoutImpl) handleDeleteWorkout() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		user, err := handler.auth.GetUserFromSessionId(utils.GetSessionID(r))
-		if err != nil {
+		session := r.Context().Value(middleware.SessionKey).(*service.Session)
+		if session == nil {
 			utils.DoRedirect(w, r, "/auth/signin")
 			return
 		}
@@ -124,7 +125,7 @@ func (handler WorkoutImpl) handleDeleteWorkout() http.HandlerFunc {
 			return
 		}
 
-		err = handler.service.DeleteWorkout(user, rowIdInt)
+		err = handler.service.DeleteWorkout(session.User, rowIdInt)
 		if err != nil {
 			http.Error(w, "Internal Server Error", http.StatusInternalServerError)
 			log.Error("Could not delete workout: %v", err.Error())
diff --git a/main_test.go b/main_test.go
index ca19471..8b987c6 100644
--- a/main_test.go
+++ b/main_test.go
@@ -34,7 +34,7 @@ func TestHandleSignIn(t *testing.T) {
 
 		pass := service.GetHashPassword("password", []byte("salt"))
 		_, err := db.Exec(`
-			INSERT INTO user (user_uuid, email, email_verified, is_admin, password, salt, created_at) 
+			INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at) 
 			VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, uuid.New(), pass, []byte("salt"))
 		if err != nil {
 			t.Fatalf("Error inserting user: %v", err)
diff --git a/migration/001_initial_schema.up.sql b/migration/001_initial_schema.up.sql
index df7bae9..fb88bd8 100644
--- a/migration/001_initial_schema.up.sql
+++ b/migration/001_initial_schema.up.sql
@@ -1,4 +1,40 @@
 
+CREATE TABLE user (
+	user_id TEXT NOT NULL UNIQUE PRIMARY KEY,
+
+	email TEXT NOT NULL UNIQUE,
+	email_verified BOOLEAN NOT NULL,
+	email_verified_at DATETIME,
+
+	is_admin BOOLEAN NOT NULL,
+
+	password BLOB NOT NULL,
+	salt BLOB NOT NULL,
+
+	created_at DATETIME NOT NULL
+) WITHOUT ROWID;
+
+CREATE TABLE session (
+	session_id TEXT NOT NULL UNIQUE PRIMARY KEY,
+	user_id TEXT NOT NULL,
+
+	created_at DATETIME NOT NULL,
+	expires_at DATETIME NOT NULL
+) WITHOUT ROWID;
+
+
+CREATE TABLE token (
+	token TEXT NOT NULL UNIQUE PRIMARY KEY,
+
+	user_id TEXT,
+	session_id TEXT,
+
+	type TEXT NOT NULL,
+
+	created_at DATETIME NOT NULL,
+	expires_at DATETIME
+);
+
 CREATE TABLE workout (
 	user_id INTEGER NOT NULL,
 	date TEXT NOT NULL,
@@ -6,4 +42,3 @@ CREATE TABLE workout (
 	sets INTEGER NOT NULL,
 	reps INTEGER NOT NULL
 );
-
diff --git a/migration/002_user_and_session.up.sql b/migration/002_user_and_session.up.sql
deleted file mode 100644
index 98aa0cf..0000000
--- a/migration/002_user_and_session.up.sql
+++ /dev/null
@@ -1,21 +0,0 @@
-
-CREATE TABLE user (
-	user_uuid TEXT NOT NULL UNIQUE PRIMARY KEY,
-
-	email TEXT NOT NULL UNIQUE,
-	email_verified BOOLEAN NOT NULL,
-
-	is_admin BOOLEAN NOT NULL,
-
-	password BLOB NOT NULL,
-	salt BLOB NOT NULL,
-
-	created_at DATETIME NOT NULL
-) WITHOUT ROWID;
-
-CREATE TABLE session (
-	session_id TEXT NOT NULL UNIQUE PRIMARY KEY,
-	user_uuid TEXT NOT NULL,
-
-	created_at DATETIME NOT NULL
-) WITHOUT ROWID;
diff --git a/migration/003_user_mail_verification.up.sql b/migration/003_user_mail_verification.up.sql
deleted file mode 100644
index 99cf4a6..0000000
--- a/migration/003_user_mail_verification.up.sql
+++ /dev/null
@@ -1,2 +0,0 @@
-
-ALTER TABLE user ADD COLUMN email_verified_at DATETIME DEFAULT NULL;
diff --git a/migration/004_user_tokens.up.sql b/migration/004_user_tokens.up.sql
deleted file mode 100644
index 98d3f19..0000000
--- a/migration/004_user_tokens.up.sql
+++ /dev/null
@@ -1,11 +0,0 @@
-
--- E.G. email-verifications, password-resets, unsubscribe-from-newsletter etc.
-CREATE TABLE user_token (
-	user_uuid TEXT NOT NULL,
-
-	type TEXT NOT NULL,
-	token TEXT NOT NULL UNIQUE PRIMARY KEY,
-
-	created_at DATETIME NOT NULL,
-	expires_at DATETIME
-);
diff --git a/service/auth.go b/service/auth.go
index 41a8561..eb565d9 100644
--- a/service/auth.go
+++ b/service/auth.go
@@ -42,6 +42,7 @@ func NewUser(user *db.User) *User {
 type Session struct {
 	Id        string
 	CreatedAt time.Time
+	ExpiresAt time.Time
 	User      *User
 }
 
@@ -49,6 +50,7 @@ func NewSession(session *db.Session, user *User) *Session {
 	return &Session{
 		Id:        session.Id,
 		CreatedAt: session.CreatedAt,
+		ExpiresAt: session.ExpiresAt,
 		User:      user,
 	}
 }
@@ -59,6 +61,7 @@ type Auth interface {
 	VerifyUserEmail(token string) error
 
 	SignIn(email string, password string) (*Session, error)
+	SignInSession(sessionId string) (*Session, error)
 	SignOut(sessionId string) error
 
 	DeleteAccount(user *User) error
@@ -68,7 +71,8 @@ type Auth interface {
 	SendForgotPasswordMail(email string) error
 	ForgotPassword(token string, newPass string) error
 
-	GetUserFromSessionId(sessionId string) (*User, error)
+	// IsCsrfTokenValid(token string, user *User) bool
+	// GetCsrfToken(token string, user *User) bool
 }
 
 type AuthImpl struct {
@@ -113,6 +117,31 @@ func (service AuthImpl) SignIn(email string, password string) (*Session, error)
 	return NewSession(session, NewUser(user)), nil
 }
 
+func (service AuthImpl) SignInSession(sessionId string) (*Session, error) {
+	if sessionId == "" {
+		return nil, ErrSessionIdInvalid
+	}
+
+	sessionDb, err := service.db.GetSession(sessionId)
+	if err != nil {
+		return nil, types.ErrInternal
+	}
+
+	if sessionDb.ExpiresAt.After(service.clock.Now()) {
+		return nil, nil
+	}
+
+	userDb, err := service.db.GetUser(sessionDb.UserId)
+	if err != nil {
+		return nil, types.ErrInternal
+	}
+
+	user := NewUser(userDb)
+	session := NewSession(sessionDb, user)
+
+	return session, nil
+}
+
 func (service AuthImpl) createSession(userId uuid.UUID) (*db.Session, error) {
 	sessionId, err := service.random.String(32)
 	if err != nil {
@@ -125,7 +154,10 @@ func (service AuthImpl) createSession(userId uuid.UUID) (*db.Session, error) {
 		return nil, types.ErrInternal
 	}
 
-	session := db.NewSession(sessionId, userId, service.clock.Now())
+	createAt := service.clock.Now()
+	expiresAt := createAt.Add(24 * time.Hour)
+
+	session := db.NewSession(sessionId, userId, createAt, expiresAt)
 
 	err = service.db.InsertSession(session)
 	if err != nil {
@@ -251,28 +283,6 @@ func (service AuthImpl) SignOut(sessionId string) error {
 	return service.db.DeleteSession(sessionId)
 }
 
-func (service AuthImpl) GetUserFromSessionId(sessionId string) (*User, error) {
-	if sessionId == "" {
-		return nil, ErrSessionIdInvalid
-	}
-
-	session, err := service.db.GetSession(sessionId)
-	if err != nil {
-		return nil, types.ErrInternal
-	}
-
-	user, err := service.db.GetUser(session.UserId)
-	if err != nil {
-		return nil, types.ErrInternal
-	}
-
-	if session.CreatedAt.Add(time.Duration(8 * time.Hour)).Before(service.clock.Now()) {
-		return nil, nil
-	} else {
-		return NewUser(user), nil
-	}
-}
-
 func (service AuthImpl) DeleteAccount(user *User) error {
 
 	err := service.db.DeleteUser(user.Id)
diff --git a/service/auth_test.go b/service/auth_test.go
index 7090047..ddb2f33 100644
--- a/service/auth_test.go
+++ b/service/auth_test.go
@@ -33,7 +33,7 @@ func TestSignIn(t *testing.T) {
 			time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC),
 		)
 
-		dbSession := db.NewSession("sessionId", user.Id, time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC))
+		dbSession := db.NewSession("sessionId", user.Id, time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC), time.Date(2020, 1, 2, 0, 0, 0, 0, time.UTC))
 
 		mockAuthDb := mocks.NewMockAuth(t)
 		mockAuthDb.EXPECT().GetUserByEmail("test@test.de").Return(user, nil)
diff --git a/utils/http.go b/utils/http.go
index cae8392..d370bc2 100644
--- a/utils/http.go
+++ b/utils/http.go
@@ -31,15 +31,6 @@ func WaitMinimumTime[T interface{}](waitTime time.Duration, function func() (T,
 	return result, err
 }
 
-func GetSessionID(r *http.Request) string {
-	for _, c := range r.Cookies() {
-		if c.Name == "id" {
-			return c.Value
-		}
-	}
-	return ""
-}
-
 func isHtmx(r *http.Request) bool {
 	return r.Header.Get("HX-Request") == "true"
 }