diff --git a/browserid/app.js b/browserid/app.js
index 4a3ecdaf9db7a4b091252cfb8c4d8e24a7e42ab7..c4dbf41d7b403ebcb3e999bd0d531be1258e97d4 100644
--- a/browserid/app.js
+++ b/browserid/app.js
@@ -35,13 +35,7 @@
 
 const
 fs = require('fs'),
-path = require('path');
-
-// create the var directory if it doesn't exist
-var VAR_DIR = path.join(__dirname, "var");
-try { fs.mkdirSync(VAR_DIR, 0755); } catch(e) { };
-
-const
+path = require('path'),
 url = require('url'),
 crypto = require('crypto'),
 wsapi = require('./lib/wsapi.js'),
@@ -62,9 +56,7 @@ logger.info("browserid server starting up");
 // open the databse
 db.open(configuration.get('database'));
 
-// looks unused, see run.js
-// const STATIC_DIR = path.join(path.dirname(__dirname), "static");
-const COOKIE_SECRET = secrets.hydrateSecret('cookie_secret', VAR_DIR);
+const COOKIE_SECRET = secrets.hydrateSecret('browserid_cookie', configuration.get('var_path'));
 const COOKIE_KEY = 'browserid_state';
 
 function internal_redirector(new_url) {
@@ -155,8 +147,6 @@ function router(app) {
   });
 };
 
-exports.varDir = VAR_DIR;
-
 exports.setup = function(server) {
   // request to logger, dev formatted which omits personal data in the requests
   server.use(express.logger({
@@ -175,7 +165,6 @@ exports.setup = function(server) {
 
   var cookieSessionMiddleware = sessions({
     secret: COOKIE_SECRET,
-    //    session_key: COOKIE_KEY,
     key: COOKIE_KEY,
     cookie: {
         path: '/',
diff --git a/browserid/lib/db_json.js b/browserid/lib/db_json.js
index 608476895e7c57c7bc68d7b73633854551461e60..a38da9d76af3aaa37f8759a7da205f2a74dd0868 100644
--- a/browserid/lib/db_json.js
+++ b/browserid/lib/db_json.js
@@ -42,14 +42,14 @@ const
 path = require('path'),
 fs = require('fs'),
 secrets = require('./secrets'),
-jsel = require('JSONSelect');
+jsel = require('JSONSelect'),
+logger = require('../../libs/logging.js').logger,
+configuration = require('../../libs/configuration.js');
 
 // a little alias for stringify
 const ESC = JSON.stringify;
 
-var VAR_DIR = path.join(path.dirname(__dirname), "var");
-
-var dbPath = path.join(VAR_DIR, "authdb.json");
+var dbPath = path.join(configuration.get('var_path'), "authdb.json");
 
 /* The JSON database. The structure is thus:
  *  [
@@ -75,7 +75,11 @@ var stagedEmails = { };
 var staged = { };
 
 function flush() {
-  fs.writeFileSync(dbPath, JSON.stringify(db));
+  try {
+    var e = fs.writeFileSync(dbPath, JSON.stringify(db));
+  } catch (e) {
+    logger.error("Cannot save database to " + dbPath);
+  }
 }
 
 // when should a key created right now expire?
diff --git a/libs/configuration.js b/libs/configuration.js
index 5e98b4611dd419a4de67aa50daa32b98ae62ddf0..faec8c14542e74230cc29ae0e1333d47f09b4ab4 100644
--- a/libs/configuration.js
+++ b/libs/configuration.js
@@ -66,7 +66,7 @@ g_configs.production = {
   port: '443',
   scheme: 'https',
   use_minified_resources: true,
-  log_path: '/home/browserid/var/',
+  var_path: '/home/browserid/var/',
   database: {
     driver: "mysql",
     user: 'browserid'
@@ -90,7 +90,7 @@ g_configs.local =  {
   scheme: 'http',
   email_to_console: true, // don't send email, just dump verification URLs to console.
   use_minified_resources: false,
-  log_path: path.join(__dirname, "..", "var", "logs"),
+  var_path: path.join(__dirname, "..", "var"),
   database: { driver: "json" }
 };
 
diff --git a/libs/logging.js b/libs/logging.js
index 68250d4b044f8dc556122bd6c6cc3ad4215d8aa8..deb0aa174b7d234171bcbb236489d9d7e57f60e9 100644
--- a/libs/logging.js
+++ b/libs/logging.js
@@ -53,7 +53,7 @@ path = require('path'),
 fs = require('fs');
 
 // go through the configuration and determine log location
-var log_path = configuration.get('log_path');
+var log_path = path.join(configuration.get('var_path'), 'log');
 
 // simple inline function for creation of dirs
 function mkdir_p(p) {
diff --git a/libs/metrics.js b/libs/metrics.js
index 8b23a3e0a8715e604c6640ce296f5938b87772f1..22e4c0330393478c5d0980a58fa88effa433185d 100644
--- a/libs/metrics.js
+++ b/libs/metrics.js
@@ -60,7 +60,7 @@ fs = require('fs');
 // for now we only log to one place
 // FIXME: separate logs depending on purpose?
 
-var log_path = configuration.get('log_path');
+var log_path = path.join(configuration.get('var_path'), 'log');
 var LOGGER;
 
 // simple inline function for creation of dirs
diff --git a/verifier/app.js b/verifier/app.js
index ee39f29aa4059496fb9d6a59cd780ee1fa66d5ff..9c8d36b102841a202d9595e53d114343d3246d90 100644
--- a/verifier/app.js
+++ b/verifier/app.js
@@ -45,10 +45,6 @@ const   path = require('path'),
 
 logger.info("verifier server starting up");
 
-// create the var directory if it doesn't exist
-var VAR_DIR = path.join(__dirname, "var");
-try { fs.mkdirSync(VAR_DIR, 0755); } catch(e) { }
-
 function doVerify(req, resp, next) {
   var assertion = (req.query && req.query.assertion) ? req.query.assertion : req.body.assertion;
   var audience = (req.query && req.query.audience) ? req.query.audience : req.body.audience;
@@ -108,8 +104,6 @@ function doVerify(req, resp, next) {
   }
 }
 
-exports.varDir = VAR_DIR;
-
 exports.setup = function(app) {
   // request to logger, dev formatted which omits personal data in the requests