diff --git a/app/api/auth/login/route.ts b/app/api/auth/login/route.ts
index 4c0aa3e..1ed26b9 100644
--- a/app/api/auth/login/route.ts
+++ b/app/api/auth/login/route.ts
@@ -35,6 +35,14 @@ export async function POST(request: NextRequest) {
 			role: user[0].role as 'user' | 'admin',
 		});
 
+		// Debug: Check if cookie was actually set
+		console.log('LOGIN: Session created for user:', user[0].email);
+		console.log('LOGIN: Request headers:', {
+			host: request.headers.get('host'),
+			'x-forwarded-proto': request.headers.get('x-forwarded-proto'),
+			'user-agent': request.headers.get('user-agent')
+		});
+
 		// Log the login activity
 		await logActivity({
 			userId: user[0].id,
diff --git a/lib/session.ts b/lib/session.ts
index af9fae7..dac1151 100644
--- a/lib/session.ts
+++ b/lib/session.ts
@@ -73,13 +73,22 @@ export async function createSession(payload: Omit<SessionPayload, 'expiresAt'>)
 	const isSecure = process.env.NODE_ENV === 'production' && 
 		process.env.NEXTAUTH_URL?.startsWith('https');
 	
-	cookieStore.set('session', session, {
+	const cookieOptions = {
 		httpOnly: true,
 		secure: isSecure,
 		expires: expiresAt,
-		sameSite: 'lax',
+		sameSite: process.env.NODE_ENV === 'production' ? 'none' : 'lax',
 		path: '/',
+	} as const;
+
+	console.log('CREATE_SESSION: Setting cookie with options:', cookieOptions);
+	console.log('CREATE_SESSION: Environment:', {
+		NODE_ENV: process.env.NODE_ENV,
+		NEXTAUTH_URL: process.env.NEXTAUTH_URL,
+		isSecure
 	});
+	
+	cookieStore.set('session', session, cookieOptions);
 }
 
 export async function updateSession() {
@@ -102,7 +111,7 @@ export async function updateSession() {
 		httpOnly: true,
 		secure: isSecure,
 		expires: expires,
-		sameSite: 'lax',
+		sameSite: process.env.NODE_ENV === 'production' ? 'none' : 'lax',
 		path: '/',
 	});
 }
diff --git a/middleware.ts b/middleware.ts
index 51ff337..1515487 100644
--- a/middleware.ts
+++ b/middleware.ts
@@ -15,6 +15,17 @@ export default async function middleware(req: NextRequest) {
 	const isAuthRoute = authRoutes.includes(path);
 
 	const cookie = req.cookies.get('session')?.value;
+	
+	// Debug logging for production
+	if (!cookie && (isProtectedRoute || isAuthRoute)) {
+		console.log(`No session cookie found for ${path}, headers:`, {
+			host: req.headers.get('host'),
+			'x-forwarded-proto': req.headers.get('x-forwarded-proto'),
+			'x-forwarded-host': req.headers.get('x-forwarded-host'),
+			cookies: req.headers.get('cookie')
+		});
+	}
+	
 	const session = await decrypt(cookie);
 
 	// Redirect to login if accessing protected route without session