diff --git a/src/server.js b/src/server.js
index 86c7a10..57f0cdf 100644
--- a/src/server.js
+++ b/src/server.js
@@ -33,6 +33,8 @@ if (dev) {
   app.use(morgan('dev'))
 }
 
+app.set('trust proxy', 1)
+
 const router = express.Router()
 
 const sortfields = ['id', 'track', 'artist', 'title', 'album', 'year', 'file']
@@ -46,7 +48,7 @@ app.use(session({
   resave: false,
   saveUninitialized: true,
   cookie: {
-    secure: process.env.NODE_ENV !== 'development',
+    secure: !dev,
     maxAge: 2678400000 // 1 month
   }
 }))
diff --git a/src/user.js b/src/user.js
index d8bf369..ec399fa 100644
--- a/src/user.js
+++ b/src/user.js
@@ -94,12 +94,8 @@ export function user (dbPromise, oauth, registrations) {
   })
 
   router.get('/login/oauth', async (req, res) => {
-    let state
-    if (req.session && req.session.oauthState)  {
-      state = req.session.oauthState
-    } else {
-      req.session.oauthState = crypto.randomBytes(16).toString('hex')      
-    }
+    let state = crypto.randomBytes(16).toString('hex')      
+    req.session.oauthState = state
 
     return res.redirect(oauth2.getAuthorizeUrl({
       'redirect_uri': oauth.redirectUri,