diff --git a/package.json b/package.json
index 48e371f4..adffaadf 100644
--- a/package.json
+++ b/package.json
@@ -17,16 +17,12 @@
   "scripts": {
     "prestart": "npm run build",
     "start": "node index.js",
-
     "clean": "gulp clean",
-
     "build": "gulp build",
     "build_client": "gulp build:client",
     "build_server": "gulp build:server",
-
     "test": "npm run lint",
     "lint": "gulp jslint",
-
     "tsc": "gulp tsc",
     "gulp": "gulp"
   },
@@ -59,6 +55,7 @@
     "cookies-js": "^1.2.2",
     "event-stream": "^3.3.2",
     "express": "^4.13.4",
+    "express-session": "^1.13.0",
     "mkdirp": "^0.5.1",
     "moment": "^2.13.0",
     "option-t": "^0.18.3",
diff --git a/src/server/app/application.js b/src/server/app/application.js
index 9c9bb74f..61b17125 100644
--- a/src/server/app/application.js
+++ b/src/server/app/application.js
@@ -38,7 +38,7 @@ import {confirmAuth, initializeConnection} from '../route/socketio';
 
 import {ClientManager} from '../ClientManager';
 
-import {applyGenericSecurityHeader} from './security';
+import {applyGenericSecurityHeader, setSessionMiddleware} from './security';
 
 export class KarenServer {
 
@@ -46,7 +46,7 @@ export class KarenServer {
         const config = ConfigDriver.getConfig();
 
         this._config = Object.assign(config, options);
-        this._express = createExpress();
+        this._express = createExpress(this._config);
         this._server = createServer(this._express, this._config);
         this._socketIo = createSocketIo(this._server, this._config);
         this._manager = new ClientManager();
@@ -102,12 +102,14 @@ export class KarenServer {
     }
 }
 
-function createExpress() {
+function createExpress(config) {
     const app = express();
     app.set('x-powered-by', false);
     app.use(applyGenericSecurityHeader);
     app.use(compression());
-    app.enable('trust proxy');
+
+    setSessionMiddleware(app, config);
+
     return app;
 }
 
diff --git a/src/server/app/security.js b/src/server/app/security.js
index ef1f113d..8e54a92b 100644
--- a/src/server/app/security.js
+++ b/src/server/app/security.js
@@ -22,6 +22,8 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  * THE SOFTWARE.
  */
+import expressSession from 'express-session';
+
 const STRICT_TRANSPORT_SECURITY_EXPIRE_TIME = String(60 * 24 * 365 * 1000);
 
 export function applyGenericSecurityHeader(req, res, next) {
@@ -53,4 +55,23 @@ const cspDirectiveStr = [...cspDirective.entries()].map(function([key, value]){
 export function applyHtmlSecurtyHeader(req, res) {
     res.setHeader('Content-Security-Policy', cspDirectiveStr);
     res.setHeader('X-Frame-Options', 'DENY');
+}
+
+export function setSessionMiddleware(express, config) {
+    express.enable('trust proxy');
+
+    const httpsOptions = config.https || {};
+    const sessionOption = {
+        cookie: {
+            path: '/',
+            httpOnly: true,
+            secure: !!httpsOptions.enable,
+            maxAge: null,
+        },
+        secret: String(Date.now() * Math.random),
+        resave: false,
+        name: 'karen.sessionid',
+        saveUninitialized: config.public,
+    };
+    express.use(expressSession(sessionOption));
 }
\ No newline at end of file