diff --git a/app/its_dangerous_session.py b/app/its_dangerous_session.py
index a5e6f6699..27b4890a6 100644
--- a/app/its_dangerous_session.py
+++ b/app/its_dangerous_session.py
@@ -1,3 +1,5 @@
+from datetime import timedelta, datetime
+
 from werkzeug.datastructures import CallbackDict
 from flask.sessions import SessionInterface, SessionMixin
 from itsdangerous import URLSafeTimedSerializer, BadSignature
@@ -43,7 +45,8 @@ class ItsdangerousSessionInterface(SessionInterface):
                 response.delete_cookie(app.session_cookie_name,
                                        domain=domain)
             return
-        expires = self.get_expiration_time(app, session)
+        session.permanent=True
+        expires=  datetime.utcnow() + timedelta(app.config.get('PERMANENT_SESSION_LIFETIME'))
         val = self.get_serializer(app).dumps(dict(session))
         response.set_cookie(app.session_cookie_name, val,
                             expires=expires, httponly=True,
diff --git a/config.py b/config.py
index 81b40b715..e8d51e092 100644
--- a/config.py
+++ b/config.py
@@ -20,7 +20,7 @@ class Config(object):
     SESSION_COOKIE_NAME = 'notify_admin_session'
     SESSION_COOKIE_PATH = '/admin'
     SESSION_COOKIE_HTTPONLY = True
-    SESSION_COOKIE_SECURE = True
+    SESSION_COOKIE_SECURE = False
     PERMANENT_SESSION_LIFETIME = 3600  # seconds
 
     API_HOST_NAME = os.getenv('API_HOST_NAME')