diff --git a/core/runner/Cookies.go b/core/runner/Cookies.go
index d4ab0b0..b75f6d4 100644
--- a/core/runner/Cookies.go
+++ b/core/runner/Cookies.go
@@ -117,23 +117,22 @@ local cookie = {
         if opts.expires then
             if type(opts.expires) == "number" then
                 if opts.expires > 0 then
-                    -- Add seconds to current time
                     cookie.max_age = opts.expires
                     local now = os.time()
                     cookie.expires = now + opts.expires
                 elseif opts.expires < 0 then
-                    -- Session cookie (default)
-                else
-                    -- Expire immediately
-                    cookie.expires = 0
+                    cookie.expires = 1
                     cookie.max_age = 0
+                else
+                    -- opts.expires == 0: Session cookie
+                    -- Do nothing (omitting both expires and max-age creates a session cookie)
                 end
             end
         end
 
-        -- Set flags (http_only defaults to true)
-        cookie.secure = opts.secure or false
-        cookie.http_only = (opts.http_only ~= false) -- Default to true unless explicitly set to false
+        -- Security flags
+        cookie.secure = (opts.secure ~= false)
+        cookie.http_only = (opts.http_only ~= false)
 
         -- Store in cookies table
         local n = #resp.cookies + 1