diff --git a/skyline_apiserver/api/v1/login.py b/skyline_apiserver/api/v1/login.py
index e4d5941..a30b3a5 100644
--- a/skyline_apiserver/api/v1/login.py
+++ b/skyline_apiserver/api/v1/login.py
@@ -300,8 +300,8 @@ async def websso(
         )
     else:
         response = RedirectResponse(url="/base/overview", status_code=status.HTTP_302_FOUND)
-        response.set_cookie(CONF.default.session_name, profile.toJWTPayload())
-        response.set_cookie(constants.TIME_EXPIRED_KEY, str(profile.exp))
+        response.set_cookie(CONF.default.session_name, profile.toJWTPayload(),secure=True,samesite="None")
+        response.set_cookie(constants.TIME_EXPIRED_KEY, str(profile.exp),secure=True,samesite="None")
         return response
 
 
diff --git a/skyline_apiserver/main.py b/skyline_apiserver/main.py
index e965cc0..937406e 100644
--- a/skyline_apiserver/main.py
+++ b/skyline_apiserver/main.py
@@ -42,7 +42,8 @@ async def on_startup() -> None:
     if CONF.default.cors_allow_origins:
         app.add_middleware(
             CORSMiddleware,
-            allow_origins=[str(origin) for origin in CONF.default.cors_allow_origins],
+            allow_origins=[
+            str(origin) for origin in CONF.default.cors_allow_origins] + ['https://demo.felcloud.io', 'https://baha-dev.felcloud.io'],
             allow_credentials=True,
             allow_methods=["*"],
             allow_headers=["*"],