diff --git a/services/dev/handlers.go b/services/dev/handlers.go
index aff6321..0af8feb 100644
--- a/services/dev/handlers.go
+++ b/services/dev/handlers.go
@@ -4,6 +4,7 @@ import (
 	"net/http"
 
 	"github.com/datasektionen/logout/pkg/httputil"
+	"github.com/datasektionen/logout/services/user/auth"
 )
 
 func (s *service) login(w http.ResponseWriter, r *http.Request) httputil.ToResponse {
@@ -19,7 +20,7 @@ func (s *service) login(w http.ResponseWriter, r *http.Request) httputil.ToRespo
 		return err
 	}
 	http.SetCookie(w, &http.Cookie{
-		Name:  "session",
+		Name:  auth.SessionCookieName,
 		Value: sessionID.String(),
 		Path:  "/",
 	})
diff --git a/services/passkey/handlers.go b/services/passkey/handlers.go
index 2f27030..fb2bec3 100644
--- a/services/passkey/handlers.go
+++ b/services/passkey/handlers.go
@@ -8,6 +8,7 @@ import (
 	"github.com/datasektionen/logout/pkg/database"
 	"github.com/datasektionen/logout/pkg/httputil"
 	"github.com/datasektionen/logout/services/passkey/export"
+	"github.com/datasektionen/logout/services/user/auth"
 	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/go-webauthn/webauthn/webauthn"
 	"github.com/google/uuid"
@@ -40,8 +41,8 @@ func (s *service) beginLoginPasskey(w http.ResponseWriter, r *http.Request) http
 
 func (s *service) finishLoginPasskey(w http.ResponseWriter, r *http.Request) httputil.ToResponse {
 	var body struct {
-		KTHID string `json:"kthid"`
-		Cred protocol.CredentialAssertionResponse `json:"cred"`
+		KTHID string                               `json:"kthid"`
+		Cred  protocol.CredentialAssertionResponse `json:"cred"`
 	}
 	if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
 		return httputil.BadRequest("Invalid credential")
@@ -67,7 +68,15 @@ func (s *service) finishLoginPasskey(w http.ResponseWriter, r *http.Request) htt
 	if err != nil {
 		return err
 	}
-	return s.user.LoginUser(r.Context(), user.KTHID)
+
+	sessionID, err := s.db.CreateSession(r.Context(), user.KTHID)
+	if err != nil {
+		return err
+	}
+
+	http.SetCookie(w, auth.SessionCookie(sessionID.String()))
+
+	return nil
 }
 
 // ---
diff --git a/services/passkey/passkey.templ b/services/passkey/passkey.templ
index ae4cea5..2ae2ba1 100644
--- a/services/passkey/passkey.templ
+++ b/services/passkey/passkey.templ
@@ -25,7 +25,6 @@ templ passkeyLogin(kthid string, credAss *protocol.CredentialAssertion) {
 				for (let ac of credAss.publicKey.allowCredentials) {
 					ac.id = decodebase64url(ac.id);
 				}
-				console.log(credAss);
 				event.preventDefault();
 				try {
 					let cred = await navigator.credentials.get(credAss);
diff --git a/services/passkey/passkey_templ.go b/services/passkey/passkey_templ.go
index 42b7d45..fd1b4fd 100644
--- a/services/passkey/passkey_templ.go
+++ b/services/passkey/passkey_templ.go
@@ -63,7 +63,7 @@ func passkeyLogin(kthid string, credAss *protocol.CredentialAssertion) templ.Com
 			return templ_7745c5c3_Err
 		}
 		if credAss != nil {
-			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString("<script type=\"module\">\n\t\t\t\tlet form = document.querySelector(\"#passkey-login-form\");\n\t\t\t\tlet credAss = JSON.parse(form.dataset.credAss);\n\t\t\t\tcredAss.publicKey.challenge = decodebase64url(credAss.publicKey.challenge);\n\t\t\t\tfor (let ac of credAss.publicKey.allowCredentials) {\n\t\t\t\t\tac.id = decodebase64url(ac.id);\n\t\t\t\t}\n\t\t\t\tconsole.log(credAss);\n\t\t\t\tevent.preventDefault();\n\t\t\t\ttry {\n\t\t\t\t\tlet cred = await navigator.credentials.get(credAss);\n\t\t\t\t\tlet res = await fetch(\"/login/passkey/finish\", {\n\t\t\t\t\t\tmethod: \"post\",\n\t\t\t\t\t\theaders: { \"Content-Type\": \"application/json\" },\n\t\t\t\t\t\tbody: JSON.stringify({\n\t\t\t\t\t\t\tkthid: new FormData(form).get(\"kthid\"),\n\t\t\t\t\t\t\tcred: {\n\t\t\t\t\t\t\t\tid: cred.id,\n\t\t\t\t\t\t\t\trawId: encodebase64url(cred.rawId),\n\t\t\t\t\t\t\t\ttype: cred.type,\n\t\t\t\t\t\t\t\tauthenticatorAttachment: cred.authenticatorAttachment,\n\t\t\t\t\t\t\t\tresponse: {\n\t\t\t\t\t\t\t\t\tauthenticatorData: encodebase64url(cred.response.authenticatorData),\n\t\t\t\t\t\t\t\t\tclientDataJSON: encodebase64url(cred.response.clientDataJSON),\n\t\t\t\t\t\t\t\t\tsignature: encodebase64url(cred.response.signature),\n\t\t\t\t\t\t\t\t\tuserHandle: encodebase64url(cred.response.userHandle),\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t}),\n\t\t\t\t\t});\n\t\t\t\t\tif (res.status == 200)\n\t\t\t\t\t\twindow.location.replace(\"/\");\n\t\t\t\t\telse\n\t\t\t\t\t\tthrow new Error(await res.text());\n\t\t\t\t} catch (err) {\n\t\t\t\t\tlet text = (err.name === \"NotAllowedError\")\n\t\t\t\t\t\t? \"Missing permission or request was cancelled\"\n\t\t\t\t\t\t: err.message;\n\t\t\t\t\tlet el = document.createElement(\"p\");\n\t\t\t\t\tel.classList.add(\"error\");\n\t\t\t\t\tel.textContent = text;\n\t\t\t\t\tform.appendChild(el);\n\t\t\t\t} finally {\n\t\t\t\t\tform.querySelector(\"button\").classList.remove(\"spinner\");\n\t\t\t\t}\n\t\t\t</script>")
+			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString("<script type=\"module\">\n\t\t\t\tlet form = document.querySelector(\"#passkey-login-form\");\n\t\t\t\tlet credAss = JSON.parse(form.dataset.credAss);\n\t\t\t\tcredAss.publicKey.challenge = decodebase64url(credAss.publicKey.challenge);\n\t\t\t\tfor (let ac of credAss.publicKey.allowCredentials) {\n\t\t\t\t\tac.id = decodebase64url(ac.id);\n\t\t\t\t}\n\t\t\t\tevent.preventDefault();\n\t\t\t\ttry {\n\t\t\t\t\tlet cred = await navigator.credentials.get(credAss);\n\t\t\t\t\tlet res = await fetch(\"/login/passkey/finish\", {\n\t\t\t\t\t\tmethod: \"post\",\n\t\t\t\t\t\theaders: { \"Content-Type\": \"application/json\" },\n\t\t\t\t\t\tbody: JSON.stringify({\n\t\t\t\t\t\t\tkthid: new FormData(form).get(\"kthid\"),\n\t\t\t\t\t\t\tcred: {\n\t\t\t\t\t\t\t\tid: cred.id,\n\t\t\t\t\t\t\t\trawId: encodebase64url(cred.rawId),\n\t\t\t\t\t\t\t\ttype: cred.type,\n\t\t\t\t\t\t\t\tauthenticatorAttachment: cred.authenticatorAttachment,\n\t\t\t\t\t\t\t\tresponse: {\n\t\t\t\t\t\t\t\t\tauthenticatorData: encodebase64url(cred.response.authenticatorData),\n\t\t\t\t\t\t\t\t\tclientDataJSON: encodebase64url(cred.response.clientDataJSON),\n\t\t\t\t\t\t\t\t\tsignature: encodebase64url(cred.response.signature),\n\t\t\t\t\t\t\t\t\tuserHandle: encodebase64url(cred.response.userHandle),\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t}),\n\t\t\t\t\t});\n\t\t\t\t\tif (res.status == 200)\n\t\t\t\t\t\twindow.location.replace(\"/\");\n\t\t\t\t\telse\n\t\t\t\t\t\tthrow new Error(await res.text());\n\t\t\t\t} catch (err) {\n\t\t\t\t\tlet text = (err.name === \"NotAllowedError\")\n\t\t\t\t\t\t? \"Missing permission or request was cancelled\"\n\t\t\t\t\t\t: err.message;\n\t\t\t\t\tlet el = document.createElement(\"p\");\n\t\t\t\t\tel.classList.add(\"error\");\n\t\t\t\t\tel.textContent = text;\n\t\t\t\t\tform.appendChild(el);\n\t\t\t\t} finally {\n\t\t\t\t\tform.querySelector(\"button\").classList.remove(\"spinner\");\n\t\t\t\t}\n\t\t\t</script>")
 			if templ_7745c5c3_Err != nil {
 				return templ_7745c5c3_Err
 			}
@@ -75,7 +75,7 @@ func passkeyLogin(kthid string, credAss *protocol.CredentialAssertion) templ.Com
 		var templ_7745c5c3_Var3 string
 		templ_7745c5c3_Var3, templ_7745c5c3_Err = templ.JoinStringErrs(kthid)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `passkey.templ`, Line: 76, Col: 17}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `passkey.templ`, Line: 75, Col: 17}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var3))
 		if templ_7745c5c3_Err != nil {
@@ -143,7 +143,7 @@ func showPasskey(passkey export.Passkey) templ.Component {
 		var templ_7745c5c3_Var7 string
 		templ_7745c5c3_Var7, templ_7745c5c3_Err = templ.JoinStringErrs(passkey.Name)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `passkey.templ`, Line: 98, Col: 22}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `passkey.templ`, Line: 97, Col: 22}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var7))
 		if templ_7745c5c3_Err != nil {
@@ -156,7 +156,7 @@ func showPasskey(passkey export.Passkey) templ.Component {
 		var templ_7745c5c3_Var8 string
 		templ_7745c5c3_Var8, templ_7745c5c3_Err = templ.JoinStringErrs("/passkey/" + passkey.ID.String())
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `passkey.templ`, Line: 105, Col: 48}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `passkey.templ`, Line: 104, Col: 48}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var8))
 		if templ_7745c5c3_Err != nil {
@@ -237,7 +237,7 @@ func addPasskeyForm(cc *protocol.CredentialCreation) templ.Component {
 		var templ_7745c5c3_Var11 string
 		templ_7745c5c3_Var11, templ_7745c5c3_Err = templ.JoinStringErrs(templ.JSONString(cc))
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `passkey.templ`, Line: 138, Col: 49}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `passkey.templ`, Line: 137, Col: 49}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var11))
 		if templ_7745c5c3_Err != nil {
diff --git a/services/static/public/hx-clone.js b/services/static/public/hx-clone.js
index ff0f867..233b938 100644
--- a/services/static/public/hx-clone.js
+++ b/services/static/public/hx-clone.js
@@ -7,7 +7,6 @@ htmx.defineExtension('clone', {
                 const get = evt.detail.elt.getAttribute('hx-get')
                 if (get && get.startsWith('clone-template#')) {
                     const selector = get.substring(15)
-                    //console.log('htmx-clone: Intercepting xhr request to inject template with selector:', selector)
                     const template = document.querySelector(selector)
                     let templateContent = ''
                     if (!template) {
diff --git a/services/user/auth/auth.go b/services/user/auth/auth.go
new file mode 100644
index 0000000..7a50159
--- /dev/null
+++ b/services/user/auth/auth.go
@@ -0,0 +1,16 @@
+package auth
+
+import "net/http"
+
+const SessionCookieName string = "_logout_session"
+
+func SessionCookie(sessionID string) *http.Cookie {
+	return &http.Cookie{
+		Name:     SessionCookieName,
+		Value:    sessionID,
+		Path:     "/",
+		HttpOnly: true,
+		Secure:   true,
+		SameSite: http.SameSiteLaxMode,
+	}
+}
diff --git a/services/user/handlers.go b/services/user/handlers.go
index ed48cb4..5f1afb6 100644
--- a/services/user/handlers.go
+++ b/services/user/handlers.go
@@ -13,6 +13,8 @@ import (
 	"github.com/jackc/pgx/v5"
 )
 
+const nextUrlCookie string = "_logout_next-url"
+
 func (s *service) index(w http.ResponseWriter, r *http.Request) httputil.ToResponse {
 	returnURL := r.FormValue("next-url")
 	if returnURL != "" && returnURL[0] != '/' {
@@ -20,7 +22,7 @@ func (s *service) index(w http.ResponseWriter, r *http.Request) httputil.ToRespo
 	}
 	hasCookie := false
 	if returnURL == "" {
-		c, _ := r.Cookie("next-url")
+		c, _ := r.Cookie(nextUrlCookie)
 		if c != nil {
 			returnURL = c.Value
 			hasCookie = true
@@ -33,14 +35,14 @@ func (s *service) index(w http.ResponseWriter, r *http.Request) httputil.ToRespo
 		return err
 	} else if kthid != "" {
 		if hasCookie {
-			http.SetCookie(w, &http.Cookie{Name: "next-url", MaxAge: -1})
+			http.SetCookie(w, &http.Cookie{Name: nextUrlCookie, MaxAge: -1})
 		}
 		http.Redirect(w, r, returnURL, http.StatusSeeOther)
 		return nil
 	}
 	if returnURL != "" {
 		http.SetCookie(w, &http.Cookie{
-			Name:     "next-url",
+			Name:     nextUrlCookie,
 			Value:    returnURL,
 			MaxAge:   int((time.Minute * 10).Seconds()),
 			Secure:   true,
diff --git a/services/user/user.go b/services/user/user.go
index e57f594..860dd58 100644
--- a/services/user/user.go
+++ b/services/user/user.go
@@ -9,6 +9,7 @@ import (
 	"github.com/datasektionen/logout/pkg/httputil"
 	dev "github.com/datasektionen/logout/services/dev/export"
 	passkey "github.com/datasektionen/logout/services/passkey/export"
+	"github.com/datasektionen/logout/services/user/auth"
 	"github.com/datasektionen/logout/services/user/export"
 	"github.com/google/uuid"
 	"github.com/jackc/pgx/v5"
@@ -70,20 +71,13 @@ func (s *service) LoginUser(ctx context.Context, kthid string) httputil.ToRespon
 		return err
 	}
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		http.SetCookie(w, &http.Cookie{
-			Name:     "session",
-			Value:    sessionID.String(),
-			Path:     "/",
-			HttpOnly: true,
-			Secure:   true,
-			SameSite: http.SameSiteLaxMode,
-		})
+		http.SetCookie(w, auth.SessionCookie(sessionID.String()))
 		http.Redirect(w, r, "/", http.StatusSeeOther)
 	})
 }
 
 func (s *service) GetLoggedInKTHID(r *http.Request) (string, error) {
-	sessionCookie, _ := r.Cookie("session")
+	sessionCookie, _ := r.Cookie(auth.SessionCookieName)
 	if sessionCookie == nil {
 		return "", nil
 	}
@@ -113,7 +107,7 @@ func (s *service) GetLoggedInUser(r *http.Request) (*export.User, error) {
 }
 
 func (s *service) Logout(w http.ResponseWriter, r *http.Request) httputil.ToResponse {
-	sessionCookie, _ := r.Cookie("session")
+	sessionCookie, _ := r.Cookie(auth.SessionCookieName)
 	if sessionCookie != nil {
 		sessionID, err := uuid.Parse(sessionCookie.Value)
 		if err != nil {
@@ -122,7 +116,7 @@ func (s *service) Logout(w http.ResponseWriter, r *http.Request) httputil.ToResp
 			}
 		}
 	}
-	http.SetCookie(w, &http.Cookie{Name: "session", MaxAge: -1})
+	http.SetCookie(w, &http.Cookie{Name: auth.SessionCookieName, MaxAge: -1})
 	http.Redirect(w, r, "/", http.StatusSeeOther)
 	return nil
 }