diff --git a/backend/src/google_oauth.rs b/backend/src/google_oauth.rs
index a456742..80801d8 100644
--- a/backend/src/google_oauth.rs
+++ b/backend/src/google_oauth.rs
@@ -11,6 +11,7 @@ use axum::{
 use axum_extra::TypedHeader;
 use dotenvy::var;
 use headers::Cookie;
+use http::{HeaderMap, HeaderValue};
 use oauth2::{
     basic::BasicClient, reqwest::http_client, AuthUrl, AuthorizationCode, ClientId, ClientSecret,
     CsrfToken, PkceCodeChallenge, PkceCodeVerifier, RedirectUrl, RevocationUrl, Scope,
@@ -109,10 +110,15 @@ pub async fn google_auth_return(
 ) -> Result<impl IntoResponse, AppError> {
     let state = CsrfToken::new(params.remove("state").ok_or("OAuth: without state")?);
     let code = AuthorizationCode::new(params.remove("code").ok_or("OAuth: without code")?);
-    let mut headers = axum::response::AppendHeaders([(
+    let mut headers = HeaderMap::new();
+    headers.insert(
+        axum::http::header::CACHE_CONTROL,
+        HeaderValue::from_static("no-store, no-cache, must-revalidate, max-age=0"),
+    );
+    headers.insert(
         axum::http::header::SET_COOKIE,
-        "session_token=".to_owned() + "; path=/; httponly; secure; samesite=strict",
-    )]);
+        HeaderValue::from_static("session_token=deleted; path=/; httponly; secure; samesite=strict"),
+    );
 
     let query: (String, String) = sqlx::query_as(
         r#"DELETE FROM oauth2_state_storage WHERE csrf_state = ? RETURNING pkce_code_verifier,return_url"#,
@@ -229,12 +235,13 @@ pub async fn google_auth_return(
             let session_token_p2 = Uuid::new_v4().to_string();
             let session_token =
                 [session_token_p1.as_str(), "_", session_token_p2.as_str()].concat();
-            headers = axum::response::AppendHeaders([(
-                axum::http::header::SET_COOKIE,
-                "session_token=".to_owned()
-                    + &*session_token
-                    + "; path=/; httponly; secure; samesite=strict",
-            )]);
+                *headers.entry(axum::http::header::SET_COOKIE).or_insert(HeaderValue::from_static("")) = 
+                    HeaderValue::from_str(
+                        &format!(
+                            "session_token={}; httponly; secure; samesite=lax", // path=/; samesite=strict
+                            session_token
+                        )
+                    ).map_err(|_| AppError::new("Failed to create session token header"))?;
             let now = Utc::now().timestamp();
 
             sqlx::query(