diff --git a/bruno/user/Logout User.bru b/bruno/user/Logout User.bru
new file mode 100644
index 0000000..b025842
--- /dev/null
+++ b/bruno/user/Logout User.bru	
@@ -0,0 +1,11 @@
+meta {
+  name: Logout User
+  type: http
+  seq: 5
+}
+
+post {
+  url: {{api_base}}/auth/logout
+  body: none
+  auth: inherit
+}
diff --git a/crates/backend/src/controller/auth.rs b/crates/backend/src/controller/auth.rs
index 03cfb02..a24ce35 100644
--- a/crates/backend/src/controller/auth.rs
+++ b/crates/backend/src/controller/auth.rs
@@ -1,12 +1,12 @@
 use actix_session::Session;
 use actix_web::{
-    post,
+    HttpRequest, HttpResponse, Responder, post,
     web::{self, ServiceConfig},
-    HttpResponse, Responder,
 };
+use log::debug;
 use serde::Deserialize;
 
-use crate::{error::ApiError, Database};
+use crate::{Database, error::ApiError};
 
 #[derive(Deserialize)]
 struct LoginRequest {
@@ -15,7 +15,7 @@ struct LoginRequest {
 }
 
 pub fn setup(cfg: &mut ServiceConfig) {
-    cfg.service(login);
+    cfg.service(login).service(logout);
 }
 
 #[post("/login")]
@@ -34,3 +34,12 @@ async fn login(
 
     Ok(HttpResponse::Ok())
 }
+
+#[post("/logout")]
+async fn logout(session: Session, request: HttpRequest) -> Result<impl Responder, ApiError> {
+    debug!("request cookies: {:?}", request.cookies());
+    debug!("Session entries: {:?}", session.entries());
+    session.purge();
+    debug!("Session entries after purge: {:?}", session.entries());
+    Ok(HttpResponse::Ok().body("Logged out successfully"))
+}
diff --git a/crates/backend/src/main.rs b/crates/backend/src/main.rs
index e8133a0..fda900c 100644
--- a/crates/backend/src/main.rs
+++ b/crates/backend/src/main.rs
@@ -1,5 +1,7 @@
 use actix_files::NamedFile;
+use actix_session::Session;
 use actix_session::{SessionMiddleware, storage::RedisSessionStore};
+use actix_web::cookie::SameSite;
 use actix_web::{App, HttpResponse, HttpServer, cookie::Key, middleware::Logger, web};
 use log::debug;
 
@@ -40,14 +42,23 @@ async fn main() -> std::io::Result<()> {
     debug!("Secret Key {:?}", secret_key.master());
 
     HttpServer::new(move || {
+        let session_middleware = SessionMiddleware::builder(redis_conn.clone(), secret_key.clone());
+
+        let session_middleware = if cfg!(debug_assertions) {
+            session_middleware.cookie_secure(false)
+        } else {
+            session_middleware
+                .cookie_same_site(SameSite::Strict)
+                .cookie_secure(true)
+        };
+
+        let session_middleware = session_middleware.build();
+
         let app = App::new()
             .app_data(web::Data::new(database.clone()))
             .app_data(web::Data::new(app_config.clone()))
             .wrap(Logger::default())
-            .wrap(SessionMiddleware::new(
-                redis_conn.clone(),
-                secret_key.clone(),
-            ))
+            .wrap(session_middleware)
             .service(web::scope("/api/v1").configure(controller::register_controllers));
 
         #[cfg(feature = "serve")]