diff --git a/app.js b/app.js
index f62c2763c..257c7b921 100644
--- a/app.js
+++ b/app.js
@@ -25,6 +25,7 @@ const settingsApiRoute = require('./routes/api/settings');
 const passwordApiRoute = require('./routes/api/password');
 const migrationApiRoute = require('./routes/api/migration');
 const dataDir = require('./services/data_dir');
+const sessionSecret = require('./services/session_secret');
 
 const db = require('sqlite');
 
@@ -45,7 +46,7 @@ app.use(bodyParser.urlencoded({extended: false}));
 app.use(cookieParser());
 app.use(express.static(path.join(__dirname, 'public')));
 app.use(session({
-    secret: "sdhkjhdsklajf", // FIXME: need to use the DB one
+    secret: sessionSecret,
     resave: false, // true forces the session to be saved back to the session store, even if the session was never modified during the request.
     saveUninitialized: false, // true forces a session that is "uninitialized" to be saved to the store. A session is uninitialized when it is new but not modified.
     cookie: {
diff --git a/services/data_dir.js b/services/data_dir.js
index 6ba81731c..f26fd41fa 100644
--- a/services/data_dir.js
+++ b/services/data_dir.js
@@ -1,3 +1,5 @@
+"use strict";
+
 const os = require('os');
 const fs = require('fs');
 
diff --git a/services/session_secret.js b/services/session_secret.js
new file mode 100644
index 000000000..34149fe31
--- /dev/null
+++ b/services/session_secret.js
@@ -0,0 +1,26 @@
+"use strict";
+
+const fs = require('fs');
+const crypto = require('crypto');
+const dataDir = require('./data_dir');
+
+const sessionSecretPath = dataDir.TRILIUM_DATA_DIR + "/session_secret.txt";
+
+let sessionSecret;
+
+function randomValueHex(len) {
+    return crypto.randomBytes(Math.ceil(len / 2))
+        .toString('hex') // convert to hexadecimal format
+        .slice(0, len).toUpperCase();   // return required number of characters
+}
+
+if (!fs.existsSync(sessionSecretPath)) {
+    sessionSecret = randomValueHex(64);
+
+    fs.writeFileSync(sessionSecretPath, sessionSecret, 'ASCII');
+}
+else {
+    sessionSecret = fs.readFileSync(sessionSecretPath, 'ASCII');
+}
+
+module.exports = sessionSecret;
\ No newline at end of file