diff --git a/owasp-top10-2021-apps/a7/saidajaula-monster/app/app.py b/owasp-top10-2021-apps/a7/saidajaula-monster/app/app.py
index 59267802f..202aaa1d9 100644
--- a/owasp-top10-2021-apps/a7/saidajaula-monster/app/app.py
+++ b/owasp-top10-2021-apps/a7/saidajaula-monster/app/app.py
@@ -12,6 +12,7 @@
 
 
 app = Flask(__name__)
+SECRET_KEY = os.environ.get('SESSION_SECRET', '')
 database = DataBase(os.environ.get('A2_DATABASE_HOST'),
                     os.environ.get('A2_DATABASE_USER'),
                     os.environ.get('A2_DATABASE_PASSWORD'),
@@ -26,7 +27,7 @@ def decorated_function(*args, **kwargs):
         cookie_separado = cookie.split('.')
         if(len(cookie_separado) != 2):
             return "Invalid cookie!"
-        hash_cookie = hashlib.sha256(cookie_separado[0].encode('utf-8')).hexdigest()
+        hash_cookie = hashlib.sha256((cookie_separado[0] + SECRET_KEY).encode('utf-8')).hexdigest()
         if (hash_cookie != cookie_separado[1]):
             return redirect("/login")
         j = json.loads(cookie_separado[0])
@@ -44,7 +45,7 @@ def decorated_function(*args, **kwargs):
         cookie_separado = cookie.split('.')
         if(len(cookie_separado) != 2):
             return "Invalid cookie! \n"
-        hash_cookie = hashlib.sha256(cookie_separado[0].encode('utf-8')).hexdigest()
+        hash_cookie = hashlib.sha256((cookie_separado[0] + SECRET_KEY).encode('utf-8')).hexdigest()
         if (hash_cookie != cookie_separado[1]):
             return redirect("/login")
         return f(*args, **kwargs)
@@ -104,7 +105,7 @@ def login():
 
         cookie_dic = {"permissao": result[1], "username": form_username}
         cookie = json.dumps(cookie_dic)
-        hash_cookie = hashlib.sha256(cookie.encode('utf-8')).hexdigest()
+        hash_cookie = hashlib.sha256((cookie + SECRET_KEY).encode('utf-8')).hexdigest()
         cookie_done = '.'.join([cookie,hash_cookie])
         cookie_done = base64.b64encode(str(cookie_done).encode("utf-8"))
         resp = make_response("Logged in!")