diff --git a/public/router.js b/public/router.js
index 0beb1e6..3b3aeb4 100644
--- a/public/router.js
+++ b/public/router.js
@@ -62,13 +62,15 @@ async function navigate(path, pushState = true) {
       const result = await auth.me();
       currentUser = result.user;
     } catch {
-      navigateTo('/login', true);
+      currentPath = null; // Reset damit navigate('/login') nicht geblockt wird
+      navigate('/login');
       return;
     }
   }
 
   if (!route.requiresAuth && currentUser && path === '/login') {
-    navigateTo('/', true);
+    currentPath = null;
+    navigate('/');
     return;
   }
 
diff --git a/server/middleware/csrf.js b/server/middleware/csrf.js
index 2860748..fcb301a 100644
--- a/server/middleware/csrf.js
+++ b/server/middleware/csrf.js
@@ -39,7 +39,8 @@ function csrfMiddleware(req, res, next) {
   res.cookie('csrf-token', req.session.csrfToken, {
     httpOnly: false,
     sameSite: 'strict',
-    secure: process.env.NODE_ENV === 'production',
+    secure: process.env.SESSION_SECURE === 'false' ? false
+          : process.env.NODE_ENV === 'production',
     maxAge: 1000 * 60 * 60 * 24 * 7, // 7 Tage (gleich wie Session)
   });