diff --git a/src/app.ts b/src/app.ts
index 97fa20ba6a..ebff6eed17 100644
--- a/src/app.ts
+++ b/src/app.ts
@@ -37,10 +37,13 @@ const app = express()
 	.use(logger())
 	.use(bodyParser.json())
 	.use(extractToken)
+
+	// the auth endpoints allow you to login/logout etc. It should ignore the authentication check
+	.use('/auth', authRouter)
+
 	.use(authenticate)
 	.use('/activity', activityRouter)
 	.use('/assets', assetsRouter)
-	.use('/auth', authRouter)
 	.use('/collections', collectionsRouter)
 	.use('/collection_presets', collectionPresetsRouter)
 	.use('/extensions', extensionsRouter)
diff --git a/src/middleware/authenticate.ts b/src/middleware/authenticate.ts
index 4627779a74..4ef611c685 100644
--- a/src/middleware/authenticate.ts
+++ b/src/middleware/authenticate.ts
@@ -9,6 +9,7 @@ import { InvalidCredentialsException } from '../exceptions';
  * Verify the passed JWT and assign the user ID and role to `req`
  */
 const authenticate: RequestHandler = asyncHandler(async (req, res, next) => {
+	/** @todo base this on a validation middleware on permissions */
 	if (!req.token) return next();
 
 	if (isJWT(req.token)) {
diff --git a/src/routes/auth.ts b/src/routes/auth.ts
index c539fc5178..9bc94fcf1c 100644
--- a/src/routes/auth.ts
+++ b/src/routes/auth.ts
@@ -65,12 +65,11 @@ router.post(
 		if (mode === 'cookie') {
 			res.cookie('directus_refresh_token', refreshToken, {
 				httpOnly: true,
-				expires: refreshTokenExpiration,
-				maxAge: ms(process.env.REFRESH_TOKEN_TTL) / 1000,
+				maxAge: ms(process.env.REFRESH_TOKEN_TTL),
 				secure: process.env.REFRESH_TOKEN_COOKIE_SECURE === 'true' ? true : false,
 				sameSite:
 					(process.env.REFRESH_TOKEN_COOKIE_SAME_SITE as 'lax' | 'strict' | 'none') ||
-					'lax',
+					'strict',
 			});
 		}
 
@@ -108,12 +107,11 @@ router.post(
 		if (mode === 'cookie') {
 			res.cookie('directus_refresh_token', refreshToken, {
 				httpOnly: true,
-				expires: refreshTokenExpiration,
-				maxAge: ms(process.env.REFRESH_TOKEN_TTL) / 1000,
+				maxAge: ms(process.env.REFRESH_TOKEN_TTL),
 				secure: process.env.REFRESH_TOKEN_COOKIE_SECURE === 'true' ? true : false,
 				sameSite:
 					(process.env.REFRESH_TOKEN_COOKIE_SAME_SITE as 'lax' | 'strict' | 'none') ||
-					'lax',
+					'strict',
 			});
 		}