diff --git a/browserid/app.js b/browserid/app.js
index 3c55d9f47402b99f7bf1df11104c78774c001ae1..8e3fceb00e8f443bc97368ddd5fc612bb71deb04 100644
--- a/browserid/app.js
+++ b/browserid/app.js
@@ -133,12 +133,18 @@ exports.setup = function(server) {
         path: '/',
         httpOnly: true,
         maxAge: 14400000,
-        //secure: overSSL
+        secure: overSSL
       }
   });
 
   // cookie sessions
   server.use(function(req, resp, next) {
+    // we set this parameter so the connect-cookie-session
+    // sends the cookie even though the local connection is HTTP
+    // (the load balancer does SSL)
+    if (overSSL)
+      req.connection.proxySecure = true;
+
     try {
       cookieSessionMiddleware(req, resp, next);
     } catch(e) {