diff --git a/lib/session.ts b/lib/session.ts
index dac1151..8cc6ea3 100644
--- a/lib/session.ts
+++ b/lib/session.ts
@@ -67,17 +67,15 @@ export async function createSession(payload: Omit<SessionPayload, 'expiresAt'>)
 
 	const cookieStore = await cookies();
 	
-	// In production, always use secure cookies if NEXTAUTH_URL is https
-	// This handles Cloudflare tunnel scenarios where external URL is https
-	// but internal communication is http
-	const isSecure = process.env.NODE_ENV === 'production' && 
-		process.env.NEXTAUTH_URL?.startsWith('https');
+	// For Cloudflare tunnel: external is HTTPS, internal is HTTP
+	// Use secure cookies when NEXTAUTH_URL is https (external URL)
+	const isSecure = process.env.NEXTAUTH_URL?.startsWith('https') ?? false;
 	
 	const cookieOptions = {
 		httpOnly: true,
 		secure: isSecure,
 		expires: expiresAt,
-		sameSite: process.env.NODE_ENV === 'production' ? 'none' : 'lax',
+		sameSite: isSecure ? 'none' : 'lax', // none required for secure cross-site
 		path: '/',
 	} as const;
 
@@ -103,15 +101,13 @@ export async function updateSession() {
 	const expires = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000);
 	const newSession = await encrypt({ ...payload, expiresAt: expires });
 
-	// In production, always use secure cookies if NEXTAUTH_URL is https
-	const isSecure = process.env.NODE_ENV === 'production' && 
-		process.env.NEXTAUTH_URL?.startsWith('https');
+	const isSecure = process.env.NEXTAUTH_URL?.startsWith('https') ?? false;
 
 	cookieStore.set('session', newSession, {
 		httpOnly: true,
 		secure: isSecure,
 		expires: expires,
-		sameSite: process.env.NODE_ENV === 'production' ? 'none' : 'lax',
+		sameSite: isSecure ? 'none' : 'lax',
 		path: '/',
 	});
 }