diff --git a/README.md b/README.md
index 1ed93206..badb93e7 100644
--- a/README.md
+++ b/README.md
@@ -100,6 +100,8 @@ Session store-related settings:
 | `OIDC_STATE_STORE_PATH` | "/var/lib/authservice/oidc_state.db" | Path to the session store used to save the sessions for the OIDC state parameter. |
 | `SESSION_MAX_AGE` | "86400" | Time in seconds after which sessions expire. Defaults to a day (24h). |
 | `SESSION_SAME_SITE` | "Lax" | SameSite attribute of the session cookie. Check details of SameSite attribute [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite). Its value can be "None", "Lax" or "Strict". |
+| `SESSION_HTTP_ONLY` | `false` | HttpOnly attribute of the session cookie. Check details of SameSite attribute [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes). Its value can be "true" or "false". |
+| `SESSION_SECURE` | `false` | Secure attribute of the session cookie. Check details of SameSite attribute [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes). Its value can be "true" or "false". |
 | `SESSION_STORE_TYPE`| "boltdb" | Set `SESSION_STORE_TYPE` to either "boltdb" to use BoltDB as the session store, or "redis" to use redis as the session store. Note that only one of the two can be used, also if you select redis then depending on your redis configurations then you might need to set the password and the number of the database that OIDC-AuthService will use as a [redis-client](https://redis.uptrace.dev/guide/go-redis.html#connecting-to-redis-server).|
 | `SESSION_STORE_REDIS_ADDR`| "127.0.0.1:6379" | Set the `host:port` address for the redis session store. |
 | `SESSION_STORE_REDIS_PWD`| "" | Set the password to connect with the redis session store. |
diff --git a/common/settings.go b/common/settings.go
index b1844ee7..b0e91444 100644
--- a/common/settings.go
+++ b/common/settings.go
@@ -59,6 +59,8 @@ type Config struct {
 	SessionStoreRedisDB   int    `split_words:"true" default:"0" envconfig:"SESSION_STORE_REDIS_DB"`
 	SessionMaxAge         int    `split_words:"true" default:"86400"`
 	SessionSameSite       string `split_words:"true" default:"Lax"`
+	SessionHttpOnly       bool   `split_words:"true" default:"false"`
+	SessionSecure         bool   `split_words:"true" default:"false"`
 
 	// Site
 	ClientName          string            `split_words:"true" default:"AuthService"`
diff --git a/main.go b/main.go
index 1e133237..69b22ed2 100644
--- a/main.go
+++ b/main.go
@@ -218,6 +218,8 @@ func main() {
 		},
 		userIdTransformer:       c.UserIDTransformer,
 		sessionMaxAgeSeconds:    c.SessionMaxAge,
+		sessionHttpOnly:         c.SessionHttpOnly,
+		sessionSecure:           c.SessionSecure,
 		strictSessionValidation: c.StrictSessionValidation,
 		cacheEnabled:            c.CacheEnabled,
 		cacheExpirationMinutes:  c.CacheExpirationMinutes,
diff --git a/server.go b/server.go
index 37dc565f..0777c252 100644
--- a/server.go
+++ b/server.go
@@ -66,6 +66,8 @@ type server struct {
 	userIdTransformer      common.UserIDTransformer
 	caBundle               []byte
 	sessionSameSite        http.SameSite
+	sessionHttpOnly        bool
+	sessionSecure          bool
 }
 
 // authenticate_or_login calls initiates the Authorization Code Flow if the user
@@ -400,6 +402,8 @@ func (s *server) callback(w http.ResponseWriter, r *http.Request) {
 	session.Options.Path = "/"
 	// Extra layer of CSRF protection
 	session.Options.SameSite = s.sessionSameSite
+	session.Options.HttpOnly = s.sessionHttpOnly
+	session.Options.Secure = s.sessionSecure
 
 	userID, ok := claims[s.idTokenOpts.UserIDClaim].(string)
 	if !ok {
@@ -469,22 +473,14 @@ func (s *server) logout(w http.ResponseWriter, r *http.Request) {
 
 	logger := common.RequestLogger(r, logModuleInfo)
 
-	// Only header auth allowed for this endpoint
-	sessionID := common.GetBearerToken(r.Header.Get(s.authHeader))
-	if sessionID == "" {
-		logger.Errorf("Request doesn't have a session value in header '%s'", s.authHeader)
-		w.WriteHeader(http.StatusUnauthorized)
-		return
-	}
-
 	// Revoke user session.
-	session, err := sessions.SessionFromID(sessionID, s.store)
+	session, authMethod, err := sessions.SessionFromRequest(r, s.store, sessions.UserSessionCookie, s.authHeader)
 	if err != nil {
 		logger.Errorf("Couldn't get user session: %v", err)
 		w.WriteHeader(http.StatusInternalServerError)
 		return
 	}
-	if session.IsNew {
+	if authMethod == "" {
 		logger.Warn("Request doesn't have a valid session.")
 		w.WriteHeader(http.StatusUnauthorized)
 		return