diff --git a/datastore_server/source/java/ch/systemsx/cisd/openbis/dss/generic/server/DataStoreServer.java b/datastore_server/source/java/ch/systemsx/cisd/openbis/dss/generic/server/DataStoreServer.java
index a227191d4ae0d36aad2c7f5050d0e176a14e0326..66dc6025c27cde0018717196d5016a352c4e46c5 100644
--- a/datastore_server/source/java/ch/systemsx/cisd/openbis/dss/generic/server/DataStoreServer.java
+++ b/datastore_server/source/java/ch/systemsx/cisd/openbis/dss/generic/server/DataStoreServer.java
@@ -251,6 +251,8 @@ public class DataStoreServer
                 ServiceProvider.getApplicationContext());
         // Disable URL rewriting (forces container to stop appending ";jsessionid=xxx" to urls)
         // to avoid mistakes in URL parsing by download servlets
+        servletContextHandler.getSessionHandler().getSessionCookieConfig().setHttpOnly(true);
+        servletContextHandler.getSessionHandler().getSessionCookieConfig().setSecure(true);
         servletContextHandler.getSessionHandler()
                 .setSessionIdPathParameterName(null);
         String applicationName = "/" + DATA_STORE_SERVER_WEB_APPLICATION_NAME;