Tracker going all HTTPS

May 24, 2011 Dan Podsedly

About six months ago, a certain Firefox extension made headlines by making it incredibly easy for people to intercept insecure web cookies and access private information on major web sites such as Facebook, as well as Pivotal Tracker.

In response, we made session-wide HTTPS enabled by default, but made it possible to disable it on your profile. We also left the option to force HTTPS only access for specific projects.

This partial HTTPS approach required us to use a somewhat complicated secure cookie scheme to prevent secure session hijacking (aka “sidejacking“). While this did close the door to this particular attack vector, it introduced some session instability, especially in Safari, due to intermittent dropping of secure cookies. Also, full HTTPS is generally considered to be more secure.

In next week’s release, Tracker is going all HTTPS. The static front pages will remain non-HTTPS by default, but all internal pages, for example the dashboard and project pages, will now be HTTPS-only. This will make Tracker more secure, and it allows us to remove the extra cookies related to session hijacking prevention, which should help with unintentional browser session expiration.

In addition, we’re improving how the “remember me” option works – it will now allow you to stay signed in for 2 weeks in multiple browsers.

Note: You will continue to be able to use the API via plain HTTP, unless the project you’re accessing has the “Use HTTPS” option set.

About the Author


What Powers Pivotal Tracker: Client side architecture
What Powers Pivotal Tracker: Client side architecture

So what makes Tracker work? I will be doing a series of technical blog posts to explain that, starting wi...

Creating user-friendly validation messages with the Money gem
Creating user-friendly validation messages with the Money gem

Most of the apps that I work on involve dealing with money in some form. I'm a big fan of the Money gem, w...

SpringOne 2021

Register Now