diff --git a/packages/node_modules/@node-red/editor-api/lib/auth/index.js b/packages/node_modules/@node-red/editor-api/lib/auth/index.js
index e39e972db..c5e1d93c7 100644
--- a/packages/node_modules/@node-red/editor-api/lib/auth/index.js
+++ b/packages/node_modules/@node-red/editor-api/lib/auth/index.js
@@ -160,20 +160,30 @@ function completeVerify(profile,done) {
 
 
 function genericStrategy(adminApp,strategy) {
-    var crypto = require("crypto")
-    var session = require('express-session')
-    var MemoryStore = require('memorystore')(session)
+    const crypto = require("crypto")
+    const session = require('express-session')
+    const MemoryStore = require('memorystore')(session)
 
-    adminApp.use(session({
-      // As the session is only used across the life-span of an auth
-      // hand-shake, we can use a instance specific random string
-      secret: crypto.randomBytes(20).toString('hex'),
-      resave: false,
-      saveUninitialized: false,
-      store: new MemoryStore({
-        checkPeriod: 86400000 // prune expired entries every 24h
-      })
-    }));
+    const sessionOptions = {
+        // As the session is only used across the life-span of an auth
+        // hand-shake, we can use a instance specific random string
+        secret: crypto.randomBytes(20).toString('hex'),
+        resave: false,
+        saveUninitialized: false,
+        store: new MemoryStore({
+          checkPeriod: 86400000 // prune expired entries every 24h
+        })
+    }
+    if (settings.httpAdminCookieOptions) {
+        sessionOptions.cookie = {
+            path: '/',
+            httpOnly: true,
+            secure: false,
+            maxAge: null,
+            ...settings.httpAdminCookieOptions
+        }
+    }
+    adminApp.use(session(sessionOptions));
     //TODO: all passport references ought to be in ./auth
     adminApp.use(passport.initialize());
     adminApp.use(passport.session());