diff --git a/l4d2web/tests/e2e/conftest.py b/l4d2web/tests/e2e/conftest.py
index d3c9ea2..491efac 100644
--- a/l4d2web/tests/e2e/conftest.py
+++ b/l4d2web/tests/e2e/conftest.py
@@ -30,7 +30,20 @@ def live_server(tmp_path, monkeypatch):
     db_path = tmp_path / "e2e.db"
     db_url = f"sqlite:///{db_path}"
     monkeypatch.setenv("DATABASE_URL", db_url)
+    # app.py:57 sets SESSION_COOKIE_SECURE = not TESTING, which would
+    # mark the session cookie Secure. The browser then drops it over
+    # http://127.0.0.1 in e2e tests and the login flow silently fails
+    # with a redirect back to /login. Force it off explicitly via the
+    # env-var override (app.py:53-55) rather than flipping TESTING,
+    # which would skip the SECRET_KEY guard and other production paths.
+    monkeypatch.setenv("SESSION_COOKIE_SECURE", "0")
     app = create_app({"TESTING": False, "DATABASE_URL": db_url, "SECRET_KEY": "e2e"})
+    # create_app() already calls init_db() inside an app context, which
+    # binds tables to the in-app engine. The seed work below uses
+    # session_scope() OUTSIDE any app context, which reads DATABASE_URL
+    # from the environment and binds its own engine. This second init_db()
+    # call creates the tables on that env-derived engine so the seed
+    # inserts have somewhere to land.
     init_db()
 
     with session_scope() as session: