diff --git a/development.ini b/development.ini
index edc4eab..d00cbbd 100644
--- a/development.ini
+++ b/development.ini
@@ -20,6 +20,12 @@ sqlalchemy.url = sqlite:///%(here)s/ordr2.sqlite
 # '127.0.0.1' and '::1'.
 # debugtoolbar.hosts = 127.0.0.1 ::1
 
+
+# custom settings
+
+session.secret = 'Change Me 2'
+session.auto_csrf = true
+
 ###
 # wsgi server configuration
 ###
diff --git a/ordr2/__init__.py b/ordr2/__init__.py
index ede0451..82947b4 100644
--- a/ordr2/__init__.py
+++ b/ordr2/__init__.py
@@ -8,13 +8,21 @@ __version__ = '0.0.1'
 
 
 from pyramid.config import Configurator
+from pyramid.session import SignedCookieSessionFactory
 
 
 def main(global_config, **settings):
     ''' This function returns a Pyramid WSGI application. '''
     config = Configurator(settings=settings)
-    config.include('pyramid_jinja2')
-    config.include('.models')
+
+    session_factory = SignedCookieSessionFactory(settings['session.secret'])
+    config.set_session_factory(session_factory)
+    config.set_default_csrf_options(require_csrf=settings['session.auto_csrf'])
+
     config.include('.resources')
+    config.include('.models')
+    config.include('pyramid_jinja2')
+
     config.scan()
+
     return config.make_wsgi_app()