diff --git a/ldap_config.json b/ldap_config.json
index 5171f9519db86f9ad9e2149b2ee0ad078a0dde0c..1ca09a734327234fb122716205b97fe45b3aa1dd 100644
--- a/ldap_config.json
+++ b/ldap_config.json
@@ -50,6 +50,5 @@
 		"directory": "homeDirectory",
 		"cleanFullName": "gecos",
 		"classes": "objectClass"
-	},
-	"sessionSecret":"ozyNMHdT,WFTu|t"
+	}
 }
\ No newline at end of file
diff --git a/src/app.ts b/src/app.ts
index c1dcb15d0d162d7d92d056f501a5a3c7d78a04db..757ba895356f27f6abc5b7b590b95ea15b4d0992 100644
--- a/src/app.ts
+++ b/src/app.ts
@@ -8,7 +8,7 @@
  * On peut considérer que les app.use (et app.get et app.post) sont pattern-matchés et
  * exécutés séquentiellement. http://expressjs.com/en/guide/using-middleware.html
  * 
- * @author manifold, kadabra
+ * @author manifold, kadabra, ofacklam
  */
 import express from 'express';
 import bodyParser from 'body-parser';
@@ -85,11 +85,21 @@ app.use(favicon(path.resolve(__dirname, 'assets', 'favicon.ico')));
  * @todo [critical] configure express-session (session store and other options)
  * @todo choose a session secret and where to store it
  * https://www.npmjs.com/package/express-session
+ * Sur l'utilité des flags dans les cookies : https://www.information-security.fr/securite-sites-web-lutilite-flags-secure-httponly/
  */
 // load data from the session identified by the cookie (if one exists), into req.session
 // on ne manipulera pas req.session directement, on laisser toujours passport le faire pour nous
 app.use(expressSession({
     secret: "asdfjklkjfdsasdfjklkljfdsa",
+    resave: false, // 'resave: true' forces the session to be saved back to the session store (false OK if store implements touch())
+    rolling: false, // 'rolling: true' resets expiration at every response
+    saveUninitialized: true, // 'saveUninitialized: true' forces empty sessions to also be stored in a cookie
+    //store: ,// default is NOT good => @ofacklam est d'avis d'utiliser 'connect-session-knex', comme ca on peut le plug directement dans notre BDD. 
+    cookie: { 
+        maxAge: 3600000, // Une heure avant expiration du cookie (en millisecondes)
+        //secure: true, // Le cookie ne peut transiter qu'en HTTPS. ATTENTION :  If you have your node.js behind a proxy and are using secure: true, you need to set "trust proxy" in express
+        httpOnly: true
+    } 
 }));
 app.use(passport.initialize());
 //passport.session(): load the user object onto req.user if a serialised user object was found in the req.session