diff --git a/.gitignore b/.gitignore
index 6081b64..5a12ba4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,5 @@
 /target
 .vscode
 users.json
+message.zsh
+users_db/
diff --git a/Cargo.toml b/Cargo.toml
index f1f4c2a..320e7f1 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -7,7 +7,7 @@ edition = "2018"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-rocket = "0.4.10"
+rocket = { version = "0.4.10", features = ["private-cookies"] }
 serde = { version = "1.0.126", features = ["derive"] }
 serde_json = "1.0"
 sha1 = "0.6.0"
diff --git a/README.md b/README.md
index 9b5f7ff..3dcaf2b 100644
--- a/README.md
+++ b/README.md
@@ -60,9 +60,12 @@ Whenever user sends a message, client will send message & token and backend will
 	- [x] Finish up `chat::create_message()`
 	- [x] Create `chat::fetch_messages()`
 	- [ ] Create `chat::delete_message()`
+- [x] Switch to using sled database to store users
 - [x] Token generation & storage
 	- [x] Sets cookie
 	- [x] Store token in json
+	- [x] Have cookie expire
+	- [x] Remove old cookie
 - [x] Pronouns
 	- [x] Set pronouns
 	- [ ] Change pronouns
diff --git a/src/auth.rs b/src/auth.rs
index 0d5da0a..09e1007 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -98,10 +98,15 @@ pub fn check_pin(mut cookies: Cookies, name: String, pin: i32) -> JsonValue {
         if i.name == name.to_lowercase() {
             if i.pin_hashed == hashed_pin_input {
                 info!("pin correct for user {}", i.name);
+
                 // Create token for user & set a cookie
                 let token = create_token(i.name.clone(), users);
-                cookies.add(Cookie::new("token", token));
-                cookies.add(Cookie::new("user", name));
+                let cookie = Cookie::build("token", token)
+                    .path("/")
+                    .secure(true)
+                    .finish();
+                cookies.remove_private(Cookie::named("token"));
+                cookies.add_private(cookie);
                 info!("set the token cookie");
 
                 return json!({
@@ -109,6 +114,8 @@ pub fn check_pin(mut cookies: Cookies, name: String, pin: i32) -> JsonValue {
                     "reason": "pin matches",
                 });
             } else {
+                cookies.remove_private(Cookie::named("token"));
+                info!("removed private cookie");
                 warn!("pin incorrect for user {}", i.name);
                 return json!({
                     "status": "fail",
@@ -117,6 +124,8 @@ pub fn check_pin(mut cookies: Cookies, name: String, pin: i32) -> JsonValue {
             };
         };
     }
+    cookies.remove_private(Cookie::named("token"));
+    info!("removed private cookie");
     warn!(
         "cannot check pin for user {} as they do not exist",
         name.to_string().to_lowercase()
diff --git a/src/chat.rs b/src/chat.rs
index 1d7909c..4c42e60 100644
--- a/src/chat.rs
+++ b/src/chat.rs
@@ -2,7 +2,8 @@
 extern crate log;
 use once_cell::sync::Lazy;
 use std::sync::Mutex;
-use crate::file_io::read_json;
+use crate::file_io::db_read;
+use rocket::http::{Cookie, Cookies};
 use crate::message::{Message, MessageInput};
 use rocket_contrib::json::{Json, JsonValue};
 use chrono::prelude::*;
@@ -60,14 +61,13 @@ fn create_message(message: Json<MessageInput>, file: &str, user: &User) -> JsonV
 }
 
 // Check if user can create the message, and then create more info about the message
-fn check_token(message: Json<MessageInput>) -> JsonValue {
+fn check_token(token: Cookie, message: Json<MessageInput<'_>>) -> JsonValue {
     // check if token is correct for name given
-    let users: Vec<User> = read_json(); // create vector out of users in json file
-
+    let users: Vec<User> = db_read(); // create vector out of users in json file
     for i in &users {
         // loop through elements
         if i.name == message.name.to_lowercase() { // if it finds the user in the file
-            if i.session_token == message.token { // if token matches
+            if i.session_token == token.value() { // if token matches
                 info!("user exists and given token matches");
                 return create_message(message, "messages.json", i);
             } else {
@@ -88,6 +88,7 @@ fn check_token(message: Json<MessageInput>) -> JsonValue {
 
 // Receive a basic message
 #[post("/message/send", format = "json", data = "<message>")]
-pub fn send_message(message: Json<MessageInput<'_>>) -> JsonValue {
-    check_token(message)
+pub fn send_message(message: Json<MessageInput<'_>>, mut cookies: Cookies) -> JsonValue {
+    let token = cookies.get_private("token").unwrap();
+    check_token(token, message)
 }
diff --git a/src/message.rs b/src/message.rs
index f85a865..11e6e6f 100644
--- a/src/message.rs
+++ b/src/message.rs
@@ -8,7 +8,6 @@ pub struct MessageInput<'r> {
     pub name: &'r str,
     pub body: &'r str,
     pub date: &'r str,
-    pub token: &'r str,
 }
 
 #[derive(Debug, Deserialize, Serialize, Clone)]