diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php b/src/opnsense/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php
index a6bc31505..d19ae58d5 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php
@@ -28,15 +28,12 @@
  */
 namespace OPNsense\Base;
 
-use OPNsense\Core\ACL;
-use Phalcon\Mvc\Controller;
-use Phalcon\Logger\Adapter\Syslog;
 
 /**
  * Class ApiControllerBase, inherit this class to implement API calls
  * @package OPNsense\Base
  */
-class ApiControllerBase extends Controller
+class ApiControllerBase extends ControllerRoot
 {
     /**
      * Initialize API controller
@@ -47,29 +44,6 @@ class ApiControllerBase extends Controller
         $this->view->disable();
     }
 
-    /**
-     * Wrap close session, for long running operations.
-     */
-    protected function sessionClose()
-    {
-        session_write_close();
-    }
-
-    /**
-     * get system logger
-     * @param string $ident syslog identifier
-     * @return Syslog log handler
-     */
-    protected function getLogger($ident = "api")
-    {
-        $logger = new Syslog($ident, array(
-            'option' => LOG_PID,
-            'facility' => LOG_LOCAL4
-        ));
-
-        return $logger;
-    }
-
 
     /**
      * before routing event
@@ -81,17 +55,8 @@ class ApiControllerBase extends Controller
         // TODO: implement authentication for api calls, at this moment you need a valid session on the web interface
 
         // use authentication of legacy OPNsense to validate user.
-        if ($this->session->has("Username") == false) {
-            $this->getLogger()->error("no active session, user not found");
-            $this->response->redirect("/", true);
-        }
-
-        // Authorization using legacy acl structure
-        $acl = new ACL();
-        if (!$acl->isPageAccessible($this->session->get("Username"), $_SERVER['REQUEST_URI'])) {
-            $this->getLogger()->error("uri ".$_SERVER['REQUEST_URI'].
-                " not accessible for user ".$this->session->get("Username"));
-            $this->response->redirect("/", true);
+        if (!$this->doAuth()) {
+            return false;
         }
 
         // check for valid csrf on post requests
diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php b/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php
index a59a6deb1..d4ca4bcf0 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php
@@ -29,7 +29,6 @@
 namespace OPNsense\Base;
 
 use OPNsense\Core\Config;
-use OPNsense\Core\ACL;
 use Phalcon\Mvc\Controller;
 use Phalcon\Translate\Adapter\Gettext;
 use Phalcon\Translate\Adapter\NativeArray;
@@ -38,7 +37,7 @@ use Phalcon\Translate\Adapter\NativeArray;
  * Class ControllerBase implements core controller for OPNsense framework
  * @package OPNsense\Base
  */
-class ControllerBase extends Controller
+class ControllerBase extends ControllerRoot
 {
     /**
      * translate a text
@@ -161,17 +160,10 @@ class ControllerBase extends Controller
         if (!$dispatcher->wasForwarded()) {
             // Authentication
             // - use authentication of legacy OPNsense.
-            if ($this->session->has("Username") == false) {
-                $this->response->redirect("/", true);
+            if (!$this->doAuth()) {
+                return false;
             }
 
-            // Authorization using legacy acl structure
-            $acl = new ACL();
-            if (!$acl->isPageAccessible($this->session->get("Username"), $_SERVER['REQUEST_URI'])) {
-                $this->response->redirect("/", true);
-            }
-
-
             // check for valid csrf on post requests
             if ($this->request->isPost() && !$this->security->checkToken()) {
                 // post without csrf, exit.
@@ -215,12 +207,4 @@ class ControllerBase extends Controller
         $this->view->acl = new \OPNsense\Core\ACL();
     }
 
-    /**
-     * @param $dispatcher
-     */
-    public function afterExecuteRoute($dispatcher)
-    {
-        // Executed after every found action
-        // TODO: implement default behavior
-    }
 }
diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerRoot.php b/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerRoot.php
new file mode 100644
index 000000000..81ce1d47e
--- /dev/null
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerRoot.php
@@ -0,0 +1,96 @@
+<?php
+/**
+ *    Copyright (C) 2015 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Base;
+
+use Phalcon\Mvc\Controller;
+use Phalcon\Logger\Adapter\Syslog;
+use OPNsense\Core\ACL;
+
+/**
+ * Class ControllerRoot wrap shared OPNsense controller features (auth, logging)
+ * @package OPNsense\Base
+ */
+class ControllerRoot extends Controller
+{
+    /**
+     * Wrap close session, for long running operations.
+     */
+    protected function sessionClose()
+    {
+        session_write_close();
+    }
+
+    /**
+     * get system logger
+     * @param string $ident syslog identifier
+     * @return Syslog log handler
+     */
+    protected function getLogger($ident = "api")
+    {
+        $logger = new Syslog($ident, array(
+            'option' => LOG_PID,
+            'facility' => LOG_LOCAL4
+        ));
+
+        return $logger;
+    }
+
+    /**
+     * perform authentication, redirect user on non successful auth
+     * @return bool
+     */
+    public function doAuth()
+    {
+        if ($this->session->has("Username") == false) {
+            // user unknown
+            $this->getLogger()->error("no active session, user not found");
+            $this->response->redirect("/", true);
+            return false;
+        } elseif ($this->session->has("last_access")
+            && $this->session->get("last_access") < (time() - 14400)) {
+            // session expired (todo, use config timeout)
+            $this->getLogger()->error("session expired");
+            $this->response->redirect("/", true);
+            return false;
+        }
+        $this->session->set("last_access", time());
+
+        // Authorization using legacy acl structure
+        $acl = new ACL();
+        if (!$acl->isPageAccessible($this->session->get("Username"), $_SERVER['REQUEST_URI'])) {
+            $this->getLogger()->error("uri ".$_SERVER['REQUEST_URI'].
+                " not accessible for user ".$this->session->get("Username"));
+            $this->response->redirect("/", true);
+            return false;
+        }
+
+        return true;
+    }
+}
\ No newline at end of file