diff --git a/.env.example b/.env.example
index 2de2526be..1cf90ef9b 100644
--- a/.env.example
+++ b/.env.example
@@ -4,8 +4,7 @@ DATABASE_URL="file:./database/db.sqlite"
 # You can generate a new secret on the command line with:
 # openssl rand -base64 32
 # https://next-auth.js.org/configuration/options#secret
-NEXTAUTH_URL="http://localhost:3000"
-
+AUTH_TRUST_HOST="true"
 NEXTAUTH_SECRET="anything"
 
 # Disable analytics
diff --git a/Dockerfile b/Dockerfile
index f1a674f23..55051f3f1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -52,7 +52,7 @@ EXPOSE $PORT
 ENV PORT=${PORT}
 
 ENV DATABASE_URL "file:/data/db.sqlite"
-ENV NEXTAUTH_URL "http://localhost:7575"
+ENV AUTH_TRUST_HOST="true"
 ENV PORT 7575
 ENV NEXTAUTH_SECRET NOT_IN_USE_BECAUSE_JWTS_ARE_UNUSED
 
diff --git a/package.json b/package.json
index 7eb148800..a497eff9c 100644
--- a/package.json
+++ b/package.json
@@ -11,7 +11,7 @@
     "dev": "next dev",
     "build": "NEXTAUTH_SECRET=WILL_BE_OVERWRITTEN next build",
     "analyze": "ANALYZE=true next build",
-    "turbo": "DATABASE_URL=file:WILL_BE_OVERWRITTEN.sqlite NEXTAUTH_URL=http://WILL_BE_OVERWRITTEN turbo build",
+    "turbo": "DATABASE_URL=file:WILL_BE_OVERWRITTEN.sqlite turbo build",
     "start": "next start",
     "typecheck": "tsc --noEmit",
     "export": "next build && next export",
diff --git a/src/env.js b/src/env.js
index 858595821..662856e5d 100644
--- a/src/env.js
+++ b/src/env.js
@@ -37,13 +37,6 @@ const env = createEnv({
     DATABASE_URL: z.string().url().default('file:../database/db.sqlite'),
     NEXTAUTH_SECRET:
       process.env.NODE_ENV === 'production' ? z.string().min(1) : z.string().min(1).optional(),
-    NEXTAUTH_URL: z.preprocess(
-      // This makes Vercel deployments not fail if you don't set NEXTAUTH_URL
-      // Since NextAuth.js automatically uses the VERCEL_URL if present.
-      (str) => process.env.VERCEL_URL ?? str,
-      // VERCEL_URL doesn't include `https` so it cant be validated as a URL
-      process.env.VERCEL ? z.string().min(1) : z.string().url()
-    ),
     DOCKER_HOST: z.string().optional(),
     DOCKER_PORT: portSchema,
     DEMO_MODE: z.string().optional(),
@@ -136,7 +129,6 @@ const env = createEnv({
   runtimeEnv: {
     DATABASE_URL: process.env.DATABASE_URL,
     NEXTAUTH_SECRET: process.env.NEXTAUTH_SECRET,
-    NEXTAUTH_URL: process.env.NEXTAUTH_URL,
     NEXT_PUBLIC_DISABLE_ANALYTICS: process.env.DISABLE_ANALYTICS,
     DOCKER_HOST: process.env.DOCKER_HOST,
     DOCKER_PORT: process.env.DOCKER_PORT,
diff --git a/src/server/auth.ts b/src/server/auth.ts
index 5f56c5c66..9b7e19a93 100644
--- a/src/server/auth.ts
+++ b/src/server/auth.ts
@@ -106,6 +106,17 @@ export const constructAuthOptions = async (
   },
   adapter: adapter as Adapter,
   providers: [...(await getProviders(req.headers)), EmptyNextAuthProvider()],
+  cookies: {
+    sessionToken: {
+      name: 'next-auth.session-token',
+      options: {
+        httpOnly: true,
+        sameSite: 'lax',
+        path: '/',
+        secure: true,
+      },
+    },
+  },
   jwt: {
     async encode(params) {
       if (!isCredentialsRequest(req)) {