diff --git a/core/admin/assets/app.js b/core/admin/assets/app.js
index dc3414f2..5df8052c 100644
--- a/core/admin/assets/app.js
+++ b/core/admin/assets/app.js
@@ -66,5 +66,12 @@ $('document').ready(function() {
     // init clipboard.js
     new ClipboardJS('.btn-clip');
 
+    // disable login if not possible
+    var l = $('#login_needs_https');
+    if (l.length && window.location.protocol != 'https:') {
+        l.removeClass("d-none");
+        $('form :input').prop('disabled', true);
+    }
+
 });
 
diff --git a/core/admin/mailu/ui/templates/login.html b/core/admin/mailu/ui/templates/login.html
index fb8e5bd4..d4d115db 100644
--- a/core/admin/mailu/ui/templates/login.html
+++ b/core/admin/mailu/ui/templates/login.html
@@ -7,3 +7,12 @@
 {%- block subtitle %}
 {% trans %}to access the administration tools{% endtrans %}
 {%- endblock %}
+
+{%- block content %}
+{% if config["SESSION_COOKIE_SECURE"] %}
+<div id="login_needs_https" class="alert alert-danger d-none" role="alert">
+{% trans %}The login form has been disabled as <b>SESSION_COOKIE_SECURE</b> is on but you are accessing Mailu over HTTP.{% endtrans %}
+</div>
+{% endif %}
+{{ super() }}
+{%- endblock %}
diff --git a/towncrier/newsfragments/1996.enhancement b/towncrier/newsfragments/1996.enhancement
new file mode 100644
index 00000000..d1bc2ccf
--- /dev/null
+++ b/towncrier/newsfragments/1996.enhancement
@@ -0,0 +1 @@
+Disable the login page if SESSION_COOKIE_SECURE is incompatible with how Mailu is accessed as this seems to be a common misconfiguration.