diff --git a/apps/desktop/src/main.tsx b/apps/desktop/src/main.tsx
index 7330174..2ed2854 100644
--- a/apps/desktop/src/main.tsx
+++ b/apps/desktop/src/main.tsx
@@ -430,14 +430,36 @@ function App() {
     }
   }
 
-  const openSystem = useCallback(() => {
+  const openSystem = useCallback(async () => {
     if (!token) return
     setIsLaunchingSystem(true)
+    try {
+      // Tenta criar a sessão via API (evita dependência de redirecionamento + cookies em 3xx)
+      const res = await fetch(`${apiBaseUrl}/api/machines/sessions`, {
+        method: "POST",
+        credentials: "include",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ machineToken: token, rememberMe: true }),
+      })
+      if (!res.ok) {
+        // Fallback para o handshake por redirecionamento
+        const persona = (config?.accessRole ?? accessRole) === "manager" ? "manager" : "collaborator"
+        const redirectTarget = persona === "manager" ? "/dashboard" : "/portal"
+        const url = `${resolvedAppUrl}/machines/handshake?token=${encodeURIComponent(token)}&redirect=${encodeURIComponent(redirectTarget)}`
+        window.location.href = url
+        return
+      }
+    } catch {
+      const persona = (config?.accessRole ?? accessRole) === "manager" ? "manager" : "collaborator"
+      const redirectTarget = persona === "manager" ? "/dashboard" : "/portal"
+      const url = `${resolvedAppUrl}/machines/handshake?token=${encodeURIComponent(token)}&redirect=${encodeURIComponent(redirectTarget)}`
+      window.location.href = url
+      return
+    }
     const persona = (config?.accessRole ?? accessRole) === "manager" ? "manager" : "collaborator"
     const redirectTarget = persona === "manager" ? "/dashboard" : "/portal"
-    const url = `${resolvedAppUrl}/machines/handshake?token=${encodeURIComponent(token)}&redirect=${encodeURIComponent(redirectTarget)}`
-    window.location.href = url
-  }, [token, config?.accessRole, accessRole, resolvedAppUrl])
+    window.location.href = `${resolvedAppUrl}${redirectTarget}`
+  }, [token, config?.accessRole, accessRole, resolvedAppUrl, apiBaseUrl])
 
   async function reprovision() {
     if (!store) return
diff --git a/src/app/api/machines/sessions/route.ts b/src/app/api/machines/sessions/route.ts
index de17f21..31f611c 100644
--- a/src/app/api/machines/sessions/route.ts
+++ b/src/app/api/machines/sessions/route.ts
@@ -43,9 +43,26 @@ export async function POST(request: Request) {
       { status: 200 }
     )
 
-    session.headers.forEach((value, key) => {
-      response.headers.set(key, value)
-    })
+    // Propaga cookies de sessão do Better Auth com segurança.
+    // Em alguns ambientes, múltiplos Set-Cookie são colapsados; tentamos cobrir ambos.
+    const headersAny = session.headers as unknown as { getSetCookie?: () => string[] }
+    const setCookies: string[] = []
+    try {
+      if (typeof headersAny?.getSetCookie === "function") {
+        setCookies.push(...(headersAny.getSetCookie() ?? []))
+      } else {
+        const single = session.headers.get("set-cookie")
+        if (single) setCookies.push(single)
+      }
+    } catch {
+      const single = session.headers.get("set-cookie")
+      if (single) setCookies.push(single)
+    }
+
+    for (const cookie of setCookies) {
+      // Usa append para não sobrescrever múltiplos cookies (authsession e assinatura, por exemplo)
+      response.headers.append("set-cookie", cookie)
+    }
 
     const machineCookiePayload = {
       machineId: session.machine.id,
diff --git a/src/app/machines/handshake/route.ts b/src/app/machines/handshake/route.ts
index 7d2bcb6..67430fb 100644
--- a/src/app/machines/handshake/route.ts
+++ b/src/app/machines/handshake/route.ts
@@ -50,13 +50,24 @@ export async function GET(request: NextRequest) {
     const session = await createMachineSession(token, true)
     const response = NextResponse.redirect(redirectUrl)
 
-    session.headers.forEach((value, key) => {
-      if (key.toLowerCase() === "set-cookie") {
-        response.headers.append("set-cookie", value)
+    // Propaga os cookies de sessão do Better Auth (podem vir múltiplos)
+    const headersAny = session.headers as unknown as { getSetCookie?: () => string[] }
+    let setCookies: string[] = []
+    try {
+      if (typeof headersAny?.getSetCookie === "function") {
+        setCookies = headersAny.getSetCookie() ?? []
       } else {
-        response.headers.set(key, value)
+        const single = session.headers.get("set-cookie")
+        if (single) setCookies = [single]
       }
-    })
+    } catch {
+      const single = session.headers.get("set-cookie")
+      if (single) setCookies = [single]
+    }
+
+    for (const cookie of setCookies) {
+      response.headers.append("set-cookie", cookie)
+    }
 
     const machineCookiePayload = {
       machineId: session.machine.id,