diff --git a/api/src/app.ts b/api/src/app.ts
index 6879eff..27aff05 100644
--- a/api/src/app.ts
+++ b/api/src/app.ts
@@ -13,11 +13,14 @@ dotenv.config()
 const app = express()
 
 const { MODE, CORS, PORT_WEB } = process.env
+const whiteList = [
+  `http://localhost:${PORT_WEB ?? 3000}`,
+  'https://sas.analytium.co.uk:8343'
+]
+
 if (MODE?.trim() !== 'server' || CORS?.trim() === 'enable') {
   console.log('All CORS Requests are enabled')
-  app.use(
-    cors({ credentials: true, origin: `http://localhost:${PORT_WEB ?? 3000}` })
-  )
+  app.use(cors({ credentials: true, origin: whiteList }))
 }
 
 app.use(express.json({ limit: '50mb' }))
diff --git a/api/src/controllers/internal/Execution.ts b/api/src/controllers/internal/Execution.ts
index 5abb742..38cb88d 100644
--- a/api/src/controllers/internal/Execution.ts
+++ b/api/src/controllers/internal/Execution.ts
@@ -37,6 +37,7 @@ export class ExecutionController {
 
     const session = await sessionController.getSession()
     session.inUse = true
+    session.consumed = true
 
     const logPath = path.join(session.path, 'log.log')
 
@@ -100,7 +101,7 @@ ${program}`
     await createFile(codePath + '.bkp', program)
     await moveFile(codePath + '.bkp', codePath)
 
-    // we now need to poll the session array
+    // we now need to poll the session status
     while (!session.completed) {
       await delay(50)
     }
@@ -115,8 +116,8 @@ ${program}`
     const debugValue =
       typeof vars._debug === 'string' ? parseInt(vars._debug) : vars._debug
 
+    // it should be deleted by scheduleSessionDestroy
     session.inUse = false
-    sessionController.deleteSession(session)
 
     if (returnJson) {
       return {
diff --git a/api/src/controllers/internal/Session.ts b/api/src/controllers/internal/Session.ts
index e9bf581..8e5ef75 100644
--- a/api/src/controllers/internal/Session.ts
+++ b/api/src/controllers/internal/Session.ts
@@ -12,7 +12,8 @@ import {
   createFile,
   fileExists,
   generateTimestamp,
-  readFile
+  readFile,
+  moveFile
 } from '@sasjs/utils'
 
 const execFilePromise = promisify(execFile)
@@ -20,8 +21,11 @@ const execFilePromise = promisify(execFile)
 export class SessionController {
   private sessions: Session[] = []
 
+  private getReadySessions = (): Session[] =>
+    this.sessions.filter((sess: Session) => sess.ready && !sess.consumed)
+
   public async getSession() {
-    const readySessions = this.sessions.filter((sess: Session) => sess.ready)
+    const readySessions = this.getReadySessions()
 
     const session = readySessions.length
       ? readySessions[0]
@@ -32,8 +36,9 @@ export class SessionController {
     return session
   }
 
-  private async createSession() {
+  private async createSession(): Promise<Session> {
     const sessionId = generateUniqueFileName(generateTimestamp())
+    console.log('creating session', sessionId)
     const sessionFolder = path.join(getTmpSessionsFolderPath(), sessionId)
 
     const creationTimeStamp = sessionId.split('-').pop() as string
@@ -47,6 +52,7 @@ export class SessionController {
       id: sessionId,
       ready: false,
       inUse: false,
+      consumed: false,
       completed: false,
       creationTimeStamp,
       deathTimeStamp,
@@ -105,15 +111,16 @@ export class SessionController {
     return session
   }
 
-  public async waitForSession(session: Session) {
+  private async waitForSession(session: Session) {
     const codeFilePath = path.join(session.path, 'code.sas')
 
     // TODO: don't wait forever
     while ((await fileExists(codeFilePath)) && !session.crashed) {}
-    console.log('session crashed?', !!session.crashed, session.crashed || '')
+
+    if (session.crashed)
+      console.log('session crashed! while waiting to be ready', session.crashed)
 
     session.ready = true
-    return Promise.resolve(session)
   }
 
   public async deleteSession(session: Session) {
@@ -121,11 +128,9 @@ export class SessionController {
     await deleteFolder(session.path)
 
     // remove the session from the session array
-    if (session.ready) {
-      this.sessions = this.sessions.filter(
-        (sess: Session) => sess.id !== session.id
-      )
-    }
+    this.sessions = this.sessions.filter(
+      (sess: Session) => sess.id !== session.id
+    )
   }
 
   private scheduleSessionDestroy(session: Session) {
diff --git a/api/src/types/Session.ts b/api/src/types/Session.ts
index cf3e490..0507a6d 100644
--- a/api/src/types/Session.ts
+++ b/api/src/types/Session.ts
@@ -5,6 +5,7 @@ export interface Session {
   deathTimeStamp: string
   path: string
   inUse: boolean
+  consumed: boolean
   completed: boolean
   crashed?: string
 }