diff --git a/src/lib/server/session.ts b/src/lib/server/session.ts
index 8a71e82..872a97f 100644
--- a/src/lib/server/session.ts
+++ b/src/lib/server/session.ts
@@ -3,46 +3,56 @@ import type { Cookies } from '@sveltejs/kit';
 import * as crypto from 'crypto';
 import type { Admin } from '$lib/server/database';
 
-const sessions: Map<string, { userId: number; permissions: Permissions }> = new Map();
+export interface Session {
+	sessionId: string;
+	userId: number;
+	permissions: Permissions;
+}
+
+let sessions: Session[] = [];
+
+function sessionFromId(sessionId: string | Cookies): Session | null {
+	const sessId = sessionIdFromStringOrCookies(sessionId);
+	return sessions.find((v) => v.sessionId == sessId) || null;
+}
+
+function sessionIdFromStringOrCookies(input: string | Cookies): string | null {
+	return typeof input == 'string' ? input : input.get('session') || null;
+}
 
 export function addSession(user: { id: number; permissions: Permissions } | Admin): string {
 	const session = crypto.randomBytes(16).toString('hex');
-	sessions.set(session, { userId: user.id, permissions: user.permissions });
+	sessions.push({
+		sessionId: session,
+		userId: user.id,
+		permissions: user.permissions
+	});
 	return session;
 }
 
-export function getSession(session: string | Cookies, permissions?: number[]): Permissions | null {
-	let sess: Permissions | null;
-	if (typeof session == 'string') {
-		sess = sessions.get(session)?.permissions || null;
-	} else {
-		const sessionId = session.get('session');
-		sess = sessionId ? sessions.get(sessionId)?.permissions || null : null;
-	}
-
-	if (!sess) {
+export function getSession(
+	sessionId: string | Cookies,
+	options?: { permissions?: number[] }
+): Session | null {
+	const session = sessionFromId(sessionId);
+	if (!session) {
 		return null;
 	}
-	for (const perm of permissions || []) {
-		if ((sess.value & perm) == 0) {
+	for (const perm of options?.permissions || []) {
+		if ((session.permissions.value & perm) == 0) {
 			return null;
 		}
 	}
-	return sess;
+	return session;
 }
 
-export function deleteSession(session: string | Cookies) {
-	if (typeof session == 'string') {
-		sessions.delete(session);
-	} else {
-		sessions.delete(session.get('session') || '');
+export function deleteSession(sessionId: string | Cookies) {
+	const session = sessionFromId(sessionId);
+	if (session) {
+		sessions.splice(sessions.indexOf(session), 1);
 	}
 }
 
 export function deleteAllUserSessions(userId: number) {
-	for (const [id, details] of sessions.entries()) {
-		if (details.userId == userId) {
-			sessions.delete(id);
-		}
-	}
+	sessions = sessions.filter((v) => v.userId == userId);
 }
diff --git a/src/routes/admin/admin/+page.server.ts b/src/routes/admin/admin/+page.server.ts
index f90019b..112bf62 100644
--- a/src/routes/admin/admin/+page.server.ts
+++ b/src/routes/admin/admin/+page.server.ts
@@ -1,11 +1,16 @@
 import type { PageServerLoad } from './$types';
 import { Admin } from '$lib/server/database';
 import { getSession } from '$lib/server/session';
+import { Permissions } from '$lib/permissions';
 
 export const load: PageServerLoad = async ({ cookies }) => {
-	const admins = await Admin.findAll({ attributes: { exclude: ['password'] } });
+	let admins: Admin[] = [];
+	if (getSession(cookies, { permissions: [Permissions.AdminRead] }) != null) {
+		admins = await Admin.findAll({ attributes: { exclude: ['password'] } });
+	}
+
 	return {
 		admins: JSON.parse(JSON.stringify(admins)),
-		permissions: getSession(cookies.get('session') || '')!.value
+		permissions: getSession(cookies.get('session') || '')!.permissions.value
 	};
 };
diff --git a/src/routes/admin/admin/+server.ts b/src/routes/admin/admin/+server.ts
index aea02f7..35e02fd 100644
--- a/src/routes/admin/admin/+server.ts
+++ b/src/routes/admin/admin/+server.ts
@@ -5,7 +5,7 @@ import { Admin } from '$lib/server/database';
 import { env as publicEnv } from '$env/dynamic/public';
 
 export const POST = (async ({ request, cookies }) => {
-	if (getSession(cookies, [Permissions.AdminWrite]) == null) {
+	if (getSession(cookies, { permissions: [Permissions.AdminWrite] }) == null) {
 		return new Response(null, {
 			status: 401
 		});
@@ -34,7 +34,7 @@ export const POST = (async ({ request, cookies }) => {
 }) satisfies RequestHandler;
 
 export const PATCH = (async ({ request, cookies }) => {
-	if (getSession(cookies, [Permissions.AdminWrite]) == null) {
+	if (getSession(cookies, { permissions: [Permissions.AdminWrite] }) == null) {
 		return new Response(null, {
 			status: 401
 		});
@@ -52,7 +52,7 @@ export const PATCH = (async ({ request, cookies }) => {
 	const updatePayload: { [key: string]: any } = {};
 	if (data['username']) updatePayload.username = data['username'];
 	if (data['password']) updatePayload.password = data['password'];
-	if (data['permissions']) updatePayload.permissions = data['permissions'];
+	if (data['permissions']) updatePayload.permissions = new Permissions(data['permissions']);
 
 	let user = await Admin.findOne({ where: { id: id } });
 	if (!user) {
@@ -74,7 +74,7 @@ export const PATCH = (async ({ request, cookies }) => {
 }) satisfies RequestHandler;
 
 export const DELETE = (async ({ request, cookies }) => {
-	if (getSession(cookies, [Permissions.AdminWrite]) == null) {
+	if (getSession(cookies, { permissions: [Permissions.AdminWrite] }) == null) {
 		return new Response(null, {
 			status: 401
 		});