diff --git a/frontend-js/src/main/js/ServerConnector.js b/frontend-js/src/main/js/ServerConnector.js
index b949b1d6786732a58f4070b65031c8aebf8d6ec3..e2ea92b9aeae963874d5e12e9f5678d21833eeb0 100644
--- a/frontend-js/src/main/js/ServerConnector.js
+++ b/frontend-js/src/main/js/ServerConnector.js
@@ -860,16 +860,9 @@ ServerConnector.login = function(login, password) {
   } else {
     params.login = "anonymous";
   }
-  return self.sendPostRequest(self.loginUrl(), params).then(function(content) {
-    var obj = JSON.parse(content);
-    var token = obj.id;
-    if (token === undefined) {
-      return Promise.reject(obj.error);
-    } else {
-      self.getSessionData().setToken(token);
-      self.getSessionData().setLogin(params.login);
-      return Promise.resolve(token);
-    }
+  return self.sendPostRequest(self.loginUrl(), params).then(function() {
+    self.getSessionData().setLogin(params.login);
+    return Promise.resolve(self.getSessionData().getToken());
   });
 };
 
diff --git a/frontend-js/src/test/js/ServerConnector-test.js b/frontend-js/src/test/js/ServerConnector-test.js
index d0732db80a99d0b3fcdd9aad0b336cf09d47704c..0ee2386c66781748a41bba1661fb1ee360d9f533 100644
--- a/frontend-js/src/test/js/ServerConnector-test.js
+++ b/frontend-js/src/test/js/ServerConnector-test.js
@@ -117,13 +117,6 @@ describe('ServerConnector', function() {
     });
   });
 
-  it('getToken without login', function() {
-    ServerConnector.getSessionData().setToken(undefined);
-    return ServerConnector.getToken().then(function(token) {
-      assert.ok(token);
-    });
-  });
-
   it('logout', function() {
     return ServerConnector.logout().then(function() {
       assert.equal(ServerConnector.getSessionData().getToken(), undefined);
diff --git a/rest-api/pom.xml b/rest-api/pom.xml
index 6898343897d078f62b60ef74b623cf0e7974b821..43e369a82a68de23354175284a8441d1333373b8 100644
--- a/rest-api/pom.xml
+++ b/rest-api/pom.xml
@@ -61,6 +61,13 @@
     	<version>${jackson.version}</version>
 		</dependency>		
 
+		<dependency>
+			<groupId>javax.servlet</groupId>
+			<artifactId>servlet-api</artifactId>
+			<version>${servlet-api.version}</version>
+			<scope>provided</scope>
+		</dependency>
+
 		<dependency>
 			<groupId>org.mockito</groupId>
 			<artifactId>mockito-all</artifactId>
diff --git a/rest-api/src/main/java/lcsb/mapviewer/api/users/UserController.java b/rest-api/src/main/java/lcsb/mapviewer/api/users/UserController.java
index 1788c95f3273ba60aced94e2c0115a389bd4f1f0..8e28369560228166e47eb6484acf85c032c43764 100644
--- a/rest-api/src/main/java/lcsb/mapviewer/api/users/UserController.java
+++ b/rest-api/src/main/java/lcsb/mapviewer/api/users/UserController.java
@@ -1,8 +1,13 @@
 package lcsb.mapviewer.api.users;
 
+import java.io.IOException;
+import java.util.Calendar;
 import java.util.HashMap;
 import java.util.Map;
 
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletResponse;
+
 import org.apache.log4j.Logger;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
@@ -32,16 +37,32 @@ public class UserController extends BaseController {
 	@RequestMapping(value = "/doLogin", method = { RequestMethod.GET, RequestMethod.POST }, produces = { MediaType.APPLICATION_JSON_VALUE })
 	public Map<String, Object> login(//
 			@RequestParam(value = "login", defaultValue = Configuration.ANONYMOUS_LOGIN) String login, //
-			@RequestParam(value = "password", required = false) String password//
-	) throws SecurityException {
+			@RequestParam(value = "password", required = false) String password, //
+			HttpServletResponse response //
+	) throws SecurityException, IOException {
 		AuthenticationToken token = userService.login(login, password);
-		Map<String, Object> result = new HashMap<>();
 		if (token == null) {
 			throw new SecurityException("Invalid credentials");
 		} else {
-			result.put("id", token.getId());
+			Map<String, Object> result = new HashMap<>();
+			final Boolean useSecureCookie = false;
+			final int expiryTime = (int) (token.getExpires().getTimeInMillis() - Calendar.getInstance().getTimeInMillis()) / 1000; // 24h
+																																																														 // in
+																																																														 // seconds
+			final String cookiePath = "/";
+
+			Cookie cookie = new Cookie("MINERVA_AUTH_TOKEN", token.getId());
+
+			cookie.setSecure(useSecureCookie);
+			cookie.setMaxAge(expiryTime);
+			cookie.setPath(cookiePath);
+
+			response.addCookie(cookie);
+			response.getWriter().write("{\"info\":\"Login successful. TOKEN returned as a cookie\"}");
+			response.getWriter().flush();
+			response.getWriter().close();
+			return result;
 		}
-		return result;
 	}
 
 	@RequestMapping(value = "/users/{login}", method = { RequestMethod.GET, RequestMethod.POST }, produces = { MediaType.APPLICATION_JSON_VALUE })