diff --git a/packages/agent0/.env.app.example b/packages/agent0/.env.app.example
index a123e5c..8e2dcdc 100644
--- a/packages/agent0/.env.app.example
+++ b/packages/agent0/.env.app.example
@@ -4,6 +4,10 @@
 PORT=3000
 SESSION_SECRET=your-session-secret-change-in-production
 
+# Cookie secure flag - set to false for local HTTP development.
+# In production with HTTPS, remove this line or set to true.
+COOKIE_SECURE=false
+
 # ============================================================================
 # RESOURCE SERVER - OKTA OAUTH (HUMAN SSO)
 # ============================================================================
diff --git a/packages/agent0/src/auth/okta-auth.ts b/packages/agent0/src/auth/okta-auth.ts
index 77425fb..6278290 100644
--- a/packages/agent0/src/auth/okta-auth.ts
+++ b/packages/agent0/src/auth/okta-auth.ts
@@ -42,7 +42,10 @@ export function createSessionMiddleware(sessionSecret: string) {
     saveUninitialized: false,
     rolling: true, // Reset maxAge on every response
     cookie: {
-      secure: false, // Set to true in production with HTTPS
+      // Cookie secure flag - controls whether cookies are sent only over HTTPS.
+      // Default: true (secure). Browsers reject secure cookies over HTTP.
+      // For local development without HTTPS, set COOKIE_SECURE=false in your .env file.
+      secure: process.env.COOKIE_SECURE,
       httpOnly: true,
       maxAge: 7 * 24 * 60 * 60 * 1000, // 7 days
       sameSite: 'lax', // Prevent CSRF while allowing normal navigation
diff --git a/packages/todo0/.env.app.example b/packages/todo0/.env.app.example
index a12ff26..b08868c 100644
--- a/packages/todo0/.env.app.example
+++ b/packages/todo0/.env.app.example
@@ -4,6 +4,10 @@
 PORT=5001
 SESSION_SECRET=your-session-secret-change-in-production
 
+# Cookie secure flag - set to false for local HTTP development.
+# In production with HTTPS, remove this line or set to true.
+COOKIE_SECURE=false
+
 # ============================================================================
 # TODO0 APP - OKTA OAUTH (HUMAN SSO)
 # ============================================================================
diff --git a/packages/todo0/src/app-server.ts b/packages/todo0/src/app-server.ts
index 3d5b6f8..c8ede7c 100644
--- a/packages/todo0/src/app-server.ts
+++ b/packages/todo0/src/app-server.ts
@@ -131,8 +131,11 @@ app.use(session({
   resave: false,
   saveUninitialized: false,
   rolling: true, // Keep session alive with activity
-  cookie: { 
-    secure: false,
+  cookie: {
+    // Cookie secure flag - controls whether cookies are sent only over HTTPS.
+    // Default: true (secure). Browsers reject secure cookies over HTTP.
+    // For local development without HTTPS, set COOKIE_SECURE=false in your .env file.
+    secure: process.env.COOKIE_SECURE !== 'false',
     httpOnly: true,
     maxAge: 7 * 24 * 60 * 60 * 1000, // 7 days
     sameSite: 'lax',