diff --git a/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php b/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php
index fcca7e3d..17240ed5 100644
--- a/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php
+++ b/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php
@@ -161,20 +161,7 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
 	 */
 	public function boot(ContainerInterface $container): void
 	{
-		$timeout = (int) $this->params->get('admin_session_timeout', 0);
-
-		if ($timeout <= 0)
-		{
-			return;
-		}
-
-		if ($this->ipIsTrusted())
-		{
-			// Set both PHP and Joomla session lifetimes before the
-			// session handler runs its expiry check.
-			ini_set('session.gc_maxlifetime', 315360000);
-			Factory::getConfig()->set('lifetime', 525600);
-		}
+		// Session lifetime for trusted IPs is now handled by the firewall plugin
 	}
 
 	/**
diff --git a/src/packages/plg_system_mokowaas_firewall/src/Extension/Firewall.php b/src/packages/plg_system_mokowaas_firewall/src/Extension/Firewall.php
index c2b096b3..b7b82181 100644
--- a/src/packages/plg_system_mokowaas_firewall/src/Extension/Firewall.php
+++ b/src/packages/plg_system_mokowaas_firewall/src/Extension/Firewall.php
@@ -10,12 +10,14 @@ namespace Moko\Plugin\System\MokoWaaSFirewall\Extension;
 
 defined('_JEXEC') or die;
 
+use Joomla\CMS\Extension\BootableExtensionInterface;
 use Joomla\CMS\Factory;
 use Joomla\CMS\Log\Log;
 use Joomla\CMS\Plugin\CMSPlugin;
 use Joomla\CMS\Router\Route;
 use Joomla\Event\SubscriberInterface;
 use Moko\Plugin\System\MokoWaaS\Helper\MokoWaaSHelper;
+use Psr\Container\ContainerInterface;
 
 /**
  * MokoWaaS Firewall Plugin
@@ -25,10 +27,29 @@ use Moko\Plugin\System\MokoWaaS\Helper\MokoWaaSHelper;
  *
  * @since  02.32.00
  */
-class Firewall extends CMSPlugin implements SubscriberInterface
+class Firewall extends CMSPlugin implements SubscriberInterface, BootableExtensionInterface
 {
 	protected $autoloadLanguage = true;
 
+	/**
+	 * Extend session lifetime for trusted IPs before Joomla creates the session.
+	 */
+	public function boot(ContainerInterface $container): void
+	{
+		$timeout = (int) $this->params->get('admin_session_timeout', 0);
+
+		if ($timeout <= 0)
+		{
+			return;
+		}
+
+		if ($this->ipIsTrusted())
+		{
+			ini_set('session.gc_maxlifetime', 315360000);
+			Factory::getConfig()->set('lifetime', 525600);
+		}
+	}
+
 	private const BLOCKED_FILES = [
 		'htaccess.txt', 'web.config.txt', 'configuration.php-dist',
 		'README.txt', 'LICENSE.txt', 'joomla.xml', 'robots.txt.dist',