diff --git a/server/config/default/apiserver.conf b/server/config/default/apiserver.conf
index 2b315ed..8446059 100644
--- a/server/config/default/apiserver.conf
+++ b/server/config/default/apiserver.conf
@@ -41,6 +41,27 @@
 
         # cookie containing auth token, for requests arriving from a web-browser
         session_auth_cookie_name: "trains_token_basic"
+
+        # cookie configuration for authorization cookies generated by auth.login
+        cookies {
+            httponly: true  # allow only http to access the cookies (no JS etc)
+            secure: false   # not using HTTPS
+            domain: null    # Limit to localhost is not supported
+            max_age: 99999999999
+        }
+
+#        # A list of fixed users
+#        fixed_users {
+#            enabled: true
+#            users: [
+#                {
+#                    username: "john"
+#                    password: "123456"
+#                    name: "john doe"
+#                }
+#
+#            ]
+#        }
     }
 
     cors {
diff --git a/server/server.py b/server/server.py
index c0c130f..3d4cbbf 100644
--- a/server/server.py
+++ b/server/server.py
@@ -63,7 +63,7 @@ def before_request():
 
         if call.result.cookies:
             for key, value in call.result.cookies.items():
-                response.set_cookie(key, value, httponly=True)
+                response.set_cookie(key, value, **config.get("apiserver.auth.cookies"))
 
         return response
     except Exception as ex: