diff --git a/src/main.rs b/src/main.rs
index eb17c63..99f6a06 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -179,12 +179,11 @@ async fn oauth2_callback(
             .wrap_err("Unable to get user self")?;
 
         let mut cookie = Cookie::new("manager_token", res.id.to_string());
-        cookie.set_same_site(SameSite::None);
-        cookie.set_secure(false);
         cookie.set_path("/");
-        // cookie.set_domain("localhost:3000");
-        // cookie.set_http_only(Some(false));
+        cookie.set_secure(true);
+        cookie.set_http_only(true);
         let ujar = jar.add(cookie);
+        debug!("end login");
         Ok((ujar, Redirect::to("/manager")))
     };
     match inner().await {
@@ -210,6 +209,7 @@ impl FromRequestParts<AppState> for UserLoggedIn {
             .await
             .unwrap();
         let Some(id) = jar.get("manager_token") else {
+            debug!("no token");
             return Err((
                 StatusCode::TEMPORARY_REDIRECT,
                 jar,
@@ -219,6 +219,7 @@ impl FromRequestParts<AppState> for UserLoggedIn {
 
         let Ok(user_id) = id.value().parse::<u64>() else {
             let jar = jar.remove("manager_token");
+            debug!("token not u64");
             return Err((
                 StatusCode::TEMPORARY_REDIRECT,
                 jar,
@@ -229,6 +230,7 @@ impl FromRequestParts<AppState> for UserLoggedIn {
         if state.allowed.lock().await.contains(&user_id) {
             Ok(UserLoggedIn)
         } else {
+            debug!("token not allowed");
             let jar = jar.remove("manager_token");
             Err((
                 StatusCode::TEMPORARY_REDIRECT,
diff --git a/src/oauth2.rs b/src/oauth2.rs
index 0c172bb..6b14a4f 100644
--- a/src/oauth2.rs
+++ b/src/oauth2.rs
@@ -98,7 +98,7 @@ impl OauthClient {
             ))
             .build()
             .wrap_err("Failed to build URI")?;
-        Ok(dbg!(uri))
+        Ok(uri)
     }
 
     pub async fn get_user_token(