diff --git a/main.go b/main.go
index c2ee189b..feca1df9 100644
--- a/main.go
+++ b/main.go
@@ -23,6 +23,8 @@ var (
 	htpasswdFile            = flag.String("htpasswd-file", "", "additionally authenticate against a htpasswd file. Entries must be created with \"htpasswd -s\" for SHA encryption")
 	cookieSecret            = flag.String("cookie-secret", "", "the seed string for secure cookies")
 	cookieDomain            = flag.String("cookie-domain", "", "an optional cookie domain to force cookies to")
+	cookieExpire            = flag.Int("cookie-expire", 168 * 60, "expire time for cookie")
+	cookieSecure            = flag.Bool("cookie-secure", false, "HTTPS only cookie")
 	authenticatedEmailsFile = flag.String("authenticated-emails-file", "", "authenticate against emails via file (one per line)")
 	googleAppsDomains       = StringArray{}
 	upstreams               = StringArray{}
diff --git a/oauthproxy.go b/oauthproxy.go
index e5f5019a..9f9bfbe9 100644
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -184,14 +184,27 @@ func (p *OauthProxy) SetCookie(rw http.ResponseWriter, req *http.Request, val st
 	if *cookieDomain != "" && strings.HasSuffix(domain, *cookieDomain) {
 		domain = *cookieDomain
 	}
+	need_expire := true
+	expire := time.Now().Add(time.Duration(*cookieExpire))
+	if *cookieExpire == 0 {
+		need_expire = false
+	}
+	http_only := true
+	secure := false
+	if *cookieSecure {
+		http_only = false
+		secure = true
+	}
 	cookie := &http.Cookie{
 		Name:     p.CookieKey,
 		Value:    signedCookieValue(p.CookieSeed, p.CookieKey, val),
 		Path:     "/",
 		Domain:   domain,
-		Expires:  time.Now().Add(time.Duration(168) * time.Hour), // 7 days
-		HttpOnly: true,
-		// Secure: req. ... ? set if X-Scheme: https ?
+		HttpOnly: http_only,
+		Secure:   secure,
+	}
+	if need_expire {
+		cookie.Expires = expire
 	}
 	http.SetCookie(rw, cookie)
 }