diff --git a/TODO.md b/TODO.md
new file mode 100644
index 0000000..3645ecc
--- /dev/null
+++ b/TODO.md
@@ -0,0 +1,24 @@
+# TODO List
+
+## Security Improvements
+
+### Make Server Secret Configurable
+Currently, the server secret used for cookie encryption is not configurable and uses Rocket's default. We should:
+- Add a configuration option for the server secret
+- Allow it to be set via environment variable or config file
+- Generate and persist a random secret on first run if none is provided
+- Add documentation about the security implications of the secret
+
+### Improve Session Management
+Current session management is basic and needs improvement:
+- Replace simple user_id cookie with a proper session system
+- Add session expiry and renewal logic
+- Store sessions in the database with proper cleanup
+- Add ability to revoke sessions
+- Consider adding "remember me" functionality
+- Add session tracking (last used, IP, user agent, etc.)
+
+Reference: [Current basic implementation in user.rs](src/user.rs) with the comment:
+```rust
+// TODO there should be a more complicated notion of a session
+``` 
\ No newline at end of file