diff --git a/CHANGELOG.md b/CHANGELOG.md
index 01f52283..39ec7da9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,10 +16,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - endpoint to purge repository from database, by [@bradrydzewski](https://github.com/bradrydzewski).
 - support for per-organization secrets, by [@bradrydzewski](https://github.com/bradrydzewski).
 - include system metadata in global webhooks, by [@bradrydzewski](https://github.com/bradrydzewski).
+- ability to customize cookie secure flag, by [@bradrydzewski](https://github.com/bradrydzewski).
 - update drone-yaml from version 1.0.6 to 1.0.8.
 - update drone-runtime from version 1.0.4 to 1.0.6.
 - update go-scm from version 1.0.3 to 1.0.4.
 
+### Fixed
+
+- fixed error in mysql table creation syntax, from [@xuyang2](https://github.com/xuyang2). [#2677](https://github.com/drone/drone/pull/2677).
+
 ## [1.0.1] - 2019-04-10
 ### Added
 
diff --git a/cmd/drone-server/config/config.go b/cmd/drone-server/config/config.go
index 071ce181..e77a61df 100644
--- a/cmd/drone-server/config/config.go
+++ b/cmd/drone-server/config/config.go
@@ -256,6 +256,7 @@ type (
 	Session struct {
 		Timeout time.Duration `envconfig:"DRONE_COOKIE_TIMEOUT" default:"720h"`
 		Secret  string        `envconfig:"DRONE_COOKIE_SECRET"`
+		Secure  bool          `envconfig:"DRONE_COOKIE_SECURE"`
 	}
 
 	// Status provides status configurations.
diff --git a/cmd/drone-server/inject_service.go b/cmd/drone-server/inject_service.go
index 68e2cdf5..6c77d45d 100644
--- a/cmd/drone-server/inject_service.go
+++ b/cmd/drone-server/inject_service.go
@@ -95,7 +95,8 @@ func provideNetrcService(client *scm.Client, renewer core.Renewer, config config
 func provideSession(store core.UserStore, config config.Config) core.Session {
 	return session.New(store, session.NewConfig(
 		config.Session.Secret,
-		config.Session.Timeout),
+		config.Session.Timeout,
+		config.Session.Secure),
 	)
 }
 
diff --git a/session/config.go b/session/config.go
index c7496c96..bb7191e0 100644
--- a/session/config.go
+++ b/session/config.go
@@ -18,13 +18,15 @@ import "time"
 
 // Config provides the session configuration.
 type Config struct {
+	Secure  bool
 	Secret  string
 	Timeout time.Duration
 }
 
 // NewConfig returns a new session configuration.
-func NewConfig(secret string, timeout time.Duration) Config {
+func NewConfig(secret string, timeout time.Duration, secure bool) Config {
 	return Config{
+		Secure:  secure,
 		Secret:  secret,
 		Timeout: timeout,
 	}
diff --git a/session/session.go b/session/session.go
index d3b6c555..86e2d96d 100644
--- a/session/session.go
+++ b/session/session.go
@@ -28,6 +28,7 @@ import (
 func New(users core.UserStore, config Config) core.Session {
 	return &session{
 		secret:  []byte(config.Secret),
+		secure:  config.Secure,
 		timeout: config.Timeout,
 		users:   users,
 	}
@@ -36,6 +37,7 @@ func New(users core.UserStore, config Config) core.Session {
 type session struct {
 	users   core.UserStore
 	secret  []byte
+	secure  bool
 	timeout time.Duration
 
 	administrator string // administrator account
@@ -49,6 +51,7 @@ func (s *session) Create(w http.ResponseWriter, user *core.User) error {
 		Path:     "/",
 		MaxAge:   2147483647,
 		HttpOnly: true,
+		Secure:   s.secure,
 		Value: authcookie.NewSinceNow(
 			user.Login,
 			s.timeout,
diff --git a/session/session_test.go b/session/session_test.go
index da2b028a..704ff6ae 100644
--- a/session/session_test.go
+++ b/session/session_test.go
@@ -36,7 +36,7 @@ func TestGet_Token_QueryParam(t *testing.T) {
 	users := mock.NewMockUserStore(controller)
 	users.EXPECT().FindToken(gomock.Any(), mockUser.Hash).Return(mockUser, nil)
 
-	session := New(users, NewConfig("correct-horse-battery-staple", time.Hour))
+	session := New(users, NewConfig("correct-horse-battery-staple", time.Hour, false))
 	r := httptest.NewRequest("GET", "/?access_token=ulSxuA0FKjNiOFIchk18NNvC6ygSxdtKjiOAS", nil)
 	user, _ := session.Get(r)
 	if user != mockUser {
@@ -58,7 +58,7 @@ func TestGet_Token_Header(t *testing.T) {
 	users := mock.NewMockUserStore(controller)
 	users.EXPECT().FindToken(gomock.Any(), mockUser.Hash).Return(mockUser, nil)
 
-	session := New(users, NewConfig("correct-horse-battery-staple", time.Hour))
+	session := New(users, NewConfig("correct-horse-battery-staple", time.Hour, false))
 	r := httptest.NewRequest("GET", "/", nil)
 	r.Header.Set("Authorization", "Bearer ulSxuA0FKjNiOFIchk18NNvC6ygSxdtKjiOAS")
 	user, _ := session.Get(r)
@@ -69,7 +69,7 @@ func TestGet_Token_Header(t *testing.T) {
 
 func TestGet_Token_NoSession(t *testing.T) {
 	r := httptest.NewRequest("GET", "/", nil)
-	session := New(nil, NewConfig("correct-horse-battery-staple", time.Hour))
+	session := New(nil, NewConfig("correct-horse-battery-staple", time.Hour, false))
 	user, _ := session.Get(r)
 	if user != nil {
 		t.Errorf("Expect empty session")
@@ -84,7 +84,7 @@ func TestGet_Token_UserNotFound(t *testing.T) {
 	users.EXPECT().FindToken(gomock.Any(), gomock.Any()).Return(nil, sql.ErrNoRows)
 
 	r := httptest.NewRequest("GET", "/?access_token=ulSxuA0FKjNiOFIchk18NNvC6ygSxdtKjiOAS", nil)
-	session := New(users, NewConfig("correct-horse-battery-staple", time.Hour))
+	session := New(users, NewConfig("correct-horse-battery-staple", time.Hour, false))
 	user, _ := session.Get(r)
 	if user != nil {
 		t.Errorf("Expect empty session")
@@ -111,7 +111,7 @@ func TestGet_Cookie(t *testing.T) {
 		Name:  "_session_",
 		Value: s,
 	})
-	session := New(users, Config{secret, time.Hour})
+	session := New(users, Config{false, secret, time.Hour})
 	user, err := session.Get(r)
 	if err != nil {
 		t.Error(err)
@@ -124,7 +124,7 @@ func TestGet_Cookie(t *testing.T) {
 
 func TestGet_Cookie_NoCookie(t *testing.T) {
 	r := httptest.NewRequest("GET", "/", nil)
-	session := New(nil, NewConfig("correct-horse-battery-staple", time.Hour))
+	session := New(nil, NewConfig("correct-horse-battery-staple", time.Hour, false))
 	user, _ := session.Get(r)
 	if user != nil {
 		t.Errorf("Expect nil user when no cookie")
@@ -140,7 +140,7 @@ func TestGet_Cookie_Expired(t *testing.T) {
 		Value: s,
 	})
 
-	session := New(nil, NewConfig("correct-horse-battery-staple", time.Hour))
+	session := New(nil, NewConfig("correct-horse-battery-staple", time.Hour, false))
 	user, _ := session.Get(r)
 	if user != nil {
 		t.Errorf("Expect nil user when no cookie")
@@ -162,7 +162,7 @@ func TestGet_Cookie_UserNotFound(t *testing.T) {
 		Value: s,
 	})
 
-	session := New(users, Config{secret, time.Hour})
+	session := New(users, Config{false, secret, time.Hour})
 	user, _ := session.Get(r)
 	if user != nil {
 		t.Errorf("Expect empty session")