diff --git a/services/web-ui/nginx.conf b/services/web-ui/nginx.conf
index 0f3ecd4..e3b2e91 100644
--- a/services/web-ui/nginx.conf
+++ b/services/web-ui/nginx.conf
@@ -1,3 +1,16 @@
+# Map for proper WebSocket upgrade handling on the proxied locations below.
+# Without this, hardcoding `proxy_set_header Connection "upgrade"` puts nginx
+# into tunnel-mode for every request — which silently drops response headers
+# including Set-Cookie. That broke session-cookie auth on /api/v1/auth/login:
+# mam-api was issuing the cookie, web-ui's proxy was eating it before it
+# reached the browser. With this map, Connection is only set to "upgrade"
+# when the client actually requested an Upgrade (real WebSocket); otherwise
+# it's "close" and the response flows through normally.
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
+}
+
 server {
     listen 80;
     server_name _;
@@ -54,7 +67,7 @@ server {
         proxy_pass $api_upstream;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
+        proxy_set_header Connection $connection_upgrade;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -74,7 +87,7 @@ server {
         proxy_pass $capture_upstream;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
+        proxy_set_header Connection $connection_upgrade;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;