diff --git a/velruse/app/__init__.py b/velruse/app/__init__.py
index 51ec761..c95a650 100644
--- a/velruse/app/__init__.py
+++ b/velruse/app/__init__.py
@@ -1,4 +1,5 @@
 import os
+import sys
 
 from anykeystore import create_store_from_settings
 
@@ -9,9 +10,15 @@
 from velruse.app.utils import generate_token
 from velruse.app.utils import redirect_form
 
+try:
+    import secrets
+except ImportError:
+    secrets = None
 
 log = __import__('logging').getLogger(__name__)
 
+PYTHON_2 = sys.version_info.major == 2
+
 
 def auth_complete_view(context, request):
     endpoint = request.registry.settings.get('endpoint')
@@ -73,7 +80,10 @@ def default_setup(config):
     specified then an in-memory storage backend will be used.
 
     """
-    from pyramid.session import UnencryptedCookieSessionFactoryConfig
+    try:
+        from pyramid.session import SignedCookieSessionFactory as SessionFactory
+    except ImportError:
+        from pyramid.session import UnencryptedCookieSessionFactoryConfig as SessionFactory
 
     log.info('Using an unencrypted cookie-based session. This can be '
              'changed by pointing the "velruse.setup" setting at a different '
@@ -83,13 +93,18 @@ def default_setup(config):
     secret = settings.get('session.secret')
     cookie_name = settings.get('session.cookie_name', 'velruse.session')
     if secret is None:
-        log.warn('Configuring unencrypted cookie-based session with a '
-                 'random secret which will invalidate old cookies when '
-                 'restarting the app.')
-        secret = ''.join('%02x' % ord(x) for x in os.urandom(16))
+        log.info(
+            'Configuring unencrypted cookie-based session with a '
+            'random secret which will invalidate old cookies when '
+            'restarting the app.')
+        if secrets is not None:
+            secret = secrets.token_urlsafe(32)
+        elif PYTHON_2:
+            secret = ''.join('%02x' % ord(x) for x in os.urandom(16))
+        else:
+            secret = ''.join('%02x' % x for x in os.urandom(16))
         log.info('autogenerated session secret: %s', secret)
-    factory = UnencryptedCookieSessionFactoryConfig(
-        secret, cookie_name=cookie_name)
+    factory = SessionFactory(secret, cookie_name=cookie_name)
     config.set_session_factory(factory)
 
     # setup backing storage