diff --git a/WorkFlow.API/Program.cs b/WorkFlow.API/Program.cs
index 06e70e8..49a1e42 100644
--- a/WorkFlow.API/Program.cs
+++ b/WorkFlow.API/Program.cs
@@ -2,6 +2,7 @@ using WorkFlow.Application;
 using DigitalData.UserManager.Application;
 using Microsoft.EntityFrameworkCore;
 using WorkFlow.Infrastructure;
+using Microsoft.AspNetCore.Authentication.Cookies;
 
 var builder = WebApplication.CreateBuilder(args);
 var config = builder.Configuration;
@@ -12,7 +13,17 @@ builder.Services.AddDbContext<WFDBContext>(options => options.UseSqlServer(cnn_s
 builder.Services.AddWorkFlow().AddUserManager<WFDBContext>();
 
 builder.Services.AddControllers();
-// Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle
+
+builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
+    .AddCookie(options =>
+    {
+        options.Cookie.HttpOnly = true;  // Makes the cookie inaccessible to client-side scripts for security
+        options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest; // Ensures cookies are sent over HTTPS only
+        options.Cookie.SameSite = SameSiteMode.Strict; // Protects against CSRF attacks by restricting how cookies are sent with requests from external sites
+        options.LoginPath = "/api/auth/login";
+        options.LogoutPath = "/api/auth/logout";
+    });
+
 builder.Services.AddEndpointsApiExplorer();
 builder.Services.AddSwaggerGen();
 
@@ -27,6 +38,8 @@ if (app.Environment.IsDevelopment())
 
 app.UseHttpsRedirection();
 
+app.UseAuthentication();
+
 app.UseAuthorization();
 
 app.MapControllers();