diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index b941e95c..eb27aee0 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -73,7 +73,7 @@ DEFAULT_CONFIG = {
     'SESSION_KEY_BITS': 128,
     'SESSION_TIMEOUT': 3600,
     'PERMANENT_SESSION_LIFETIME': 30*24*3600,
-    'SESSION_COOKIE_SECURE': True,
+    'SESSION_COOKIE_SECURE': False,
     'CREDENTIAL_ROUNDS': 12,
     'TLS_PERMISSIVE': True,
     'TZ': 'Etc/UTC',
@@ -156,6 +156,8 @@ class ConfigManager:
         self.config['SESSION_STORAGE_URL'] = f'redis://{self.config["REDIS_ADDRESS"]}/3'
         self.config['SESSION_COOKIE_SAMESITE'] = 'Strict'
         self.config['SESSION_COOKIE_HTTPONLY'] = True
+        if self.config['TLS_FLAVOR'] != 'notls' and not self.config['SESSION_COOKIE_SECURE']:
+            self.config['SESSION_COOKIE_SECURE'] = True
         self.config['SESSION_PERMANENT'] = True
         self.config['SESSION_TIMEOUT'] = int(self.config['SESSION_TIMEOUT'])
         self.config['PERMANENT_SESSION_LIFETIME'] = int(self.config['PERMANENT_SESSION_LIFETIME'])
diff --git a/core/admin/mailu/sso/views/base.py b/core/admin/mailu/sso/views/base.py
index a4218ac6..6fa9403f 100644
--- a/core/admin/mailu/sso/views/base.py
+++ b/core/admin/mailu/sso/views/base.py
@@ -39,7 +39,7 @@ def login():
             flask.session.regenerate()
             flask_login.login_user(user)
             response = flask.redirect(destination)
-            response.set_cookie('rate_limit', utils.limiter.device_cookie(username), max_age=31536000, path=flask.url_for('sso.login'), secure=False if app.config['TLS_FLAVOR'] == 'notls' else app.config['SESSION_COOKIE_SECURE'], httponly=True)
+            response.set_cookie('rate_limit', utils.limiter.device_cookie(username), max_age=31536000, path=flask.url_for('sso.login'), secure=app.config['SESSION_COOKIE_SECURE'], httponly=True)
             flask.current_app.logger.info(f'Login succeeded for {username} from {client_ip} pwned={form.pwned.data}.')
             if msg := utils.isBadOrPwned(form):
                 flask.flash(msg, "error")
diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index a330a7d6..f160fe3f 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -408,7 +408,7 @@ class MailuSessionInterface(SessionInterface):
                 httponly=self.get_cookie_httponly(app),
                 domain=self.get_cookie_domain(app),
                 path=self.get_cookie_path(app),
-                secure=False if app.config['TLS_FLAVOR'] == 'notls' else self.get_cookie_secure(app),
+                secure=self.get_cookie_secure(app),
                 samesite=self.get_cookie_samesite(app)
             )