diff --git a/CHANGELOG.md b/CHANGELOG.md
index e22592fe..7dd0b9ec 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,6 +19,7 @@ Control panel:
 * After logging in, the default page is now a fast-loading welcome page rather than the slow-loading system status checks page.
 * The backup retention period option now displays for B2 backup targets.
 * The DNSSEC DS record recommendations are cleaned up and now recommend changing records that use SHA1.
+* The Munin monitoring pages no longer require a separate HTTP basic authentication login and can be used if two-factor authentication is turned on.
 * Control panel logins are now tied to a session backend that allows true logouts (rather than an encrypted cookie).
 * Failed logins no longer directly reveal whether the email address corresponds to a user account.
 * Browser dark mode now inverts the color scheme.
diff --git a/management/auth.py b/management/auth.py
index 38c15e91..0a88c457 100644
--- a/management/auth.py
+++ b/management/auth.py
@@ -72,14 +72,9 @@ class AuthService:
 			return (None, ["admin"])
 
 		# If the password corresponds with a session token for the user, grant access for that user.
-		if password in self.sessions and self.sessions[password]["email"] == username and not login_only:
+		if self.get_session(username, password, "login", env) and not login_only:
 			sessionid = password
 			session = self.sessions[sessionid]
-			if session["password_token"] != self.create_user_password_state_token(username, env):
-				# This session is invalid because the user's password/MFA state changed
-				# after the session was created.
-				del self.sessions[sessionid]
-				raise ValueError("Session expired.")
 			if logout:
 				# Clear the session.
 				del self.sessions[sessionid]
@@ -158,5 +153,14 @@ class AuthService:
 		self.sessions[token] = {
 			"email": username,
 			"password_token": self.create_user_password_state_token(username, env),
+			"type": type,
 		}
 		return token
+
+	def get_session(self, user_email, session_key, session_type, env):
+		if session_key not in self.sessions: return None
+		session = self.sessions[session_key]
+		if session_type == "login" and session["email"] != user_email: return None
+		if session["type"] != session_type: return None
+		if session["password_token"] != self.create_user_password_state_token(session["email"], env): return None
+		return session
diff --git a/management/daemon.py b/management/daemon.py
index ca891772..280efec0 100755
--- a/management/daemon.py
+++ b/management/daemon.py
@@ -654,16 +654,42 @@ def privacy_status_set():
 # MUNIN
 
 @app.route('/munin/')
-@app.route('/munin/<path:filename>')
 @authorized_personnel_only
-def munin(filename=""):
-	# Checks administrative access (@authorized_personnel_only) and then just proxies
-	# the request to static files.
+def munin_start():
+	# Munin pages, static images, and dynamically generated images are served
+	# outside of the AJAX API. We'll start with a 'start' API that sets a cookie
+	# that subsequent requests will read for authorization. (We don't use cookies
+	# for the API to avoid CSRF vulnerabilities.)
+	response = make_response("OK")
+	response.set_cookie("session", auth_service.create_session_key(request.user_email, env, type='cookie'),
+	    max_age=60*30, secure=True, httponly=True, samesite="Strict") # 30 minute duration
+	return response
+
+def check_request_cookie_for_admin_access():
+	session = auth_service.get_session(None, request.cookies.get("session", ""), "cookie", env)
+	if not session: return False
+	privs = get_mail_user_privileges(session["email"], env)
+	if not isinstance(privs, list): return False
+	if "admin" not in privs: return False
+	return True
+
+def authorized_personnel_only_via_cookie(f):
+	@wraps(f)
+	def g(*args, **kwargs):
+		if not check_request_cookie_for_admin_access():
+			return Response("Unauthorized", status=403, mimetype='text/plain', headers={})
+		return f(*args, **kwargs)
+	return g
+
+@app.route('/munin/<path:filename>')
+@authorized_personnel_only_via_cookie
+def munin_static_file(filename=""):
+	# Proxy the request to static files.
 	if filename == "": filename = "index.html"
 	return send_from_directory("/var/cache/munin/www", filename)
 
 @app.route('/munin/cgi-graph/<path:filename>')
-@authorized_personnel_only
+@authorized_personnel_only_via_cookie
 def munin_cgi(filename):
 	""" Relay munin cgi dynazoom requests
 	/usr/lib/munin/cgi/munin-cgi-graph is a perl cgi script in the munin package
diff --git a/management/templates/index.html b/management/templates/index.html
index 115693aa..f9c87f2c 100644
--- a/management/templates/index.html
+++ b/management/templates/index.html
@@ -124,7 +124,7 @@
                 <li class="dropdown-header">Advanced Pages</li>
                 <li><a href="#custom_dns" onclick="return show_panel(this);">Custom DNS</a></li>
                 <li><a href="#external_dns" onclick="return show_panel(this);">External DNS</a></li>
-                <li><a href="/admin/munin" target="_blank">Munin Monitoring</a></li>
+                <li><a href="#munin" onclick="return show_panel(this);">Munin Monitoring</a></li>
               </ul>
             </li>
             <li><a href="#mail-guide" onclick="return show_panel(this);" class="if-logged-in-not-admin">Mail</a></li>
@@ -202,6 +202,10 @@
       {% include "ssl.html" %}
       </div>
 
+      <div id="panel_munin" class="admin_panel">
+      {% include "munin.html" %}
+      </div>
+
       <hr>
 
       <footer>
diff --git a/management/templates/munin.html b/management/templates/munin.html
new file mode 100644
index 00000000..ab2a01ce
--- /dev/null
+++ b/management/templates/munin.html
@@ -0,0 +1,20 @@
+<h2>Munin Monitoring</h2>
+
+<style>
+</style>
+
+<p>Opening munin in a new tab... You may need to allow pop-ups for this site.</p>
+
+<script>
+function show_munin() {
+  // Set the cookie.
+  api(
+    "/munin",
+    "GET",
+    { },
+    function(r) {
+      // Redirect.
+      window.open("/admin/munin/index.html", "_blank");
+    });
+}
+</script>