Tracker going all HTTPS

May 24, 2011 Dan Podsedly

About six months ago, a certain Firefox extension made headlines by making it incredibly easy for people to intercept insecure web cookies and access private information on major web sites such as Facebook, as well as Pivotal Tracker.

In response, we made session-wide HTTPS enabled by default, but made it possible to disable it on your profile. We also left the option to force HTTPS only access for specific projects.

This partial HTTPS approach required us to use a somewhat complicated secure cookie scheme to prevent secure session hijacking (aka “sidejacking“). While this did close the door to this particular attack vector, it introduced some session instability, especially in Safari, due to intermittent dropping of secure cookies. Also, full HTTPS is generally considered to be more secure.

In next week’s release, Tracker is going all HTTPS. The static front pages will remain non-HTTPS by default, but all internal pages, for example the dashboard and project pages, will now be HTTPS-only. This will make Tracker more secure, and it allows us to remove the extra cookies related to session hijacking prevention, which should help with unintentional browser session expiration.

In addition, we’re improving how the “remember me” option works – it will now allow you to stay signed in for 2 weeks in multiple browsers.

Note: You will continue to be able to use the API via plain HTTP, unless the project you’re accessing has the “Use HTTPS” option set.

About the Author

Biography

More Content by Dan Podsedly
Previous
What Powers Pivotal Tracker: Client side architecture
What Powers Pivotal Tracker: Client side architecture

So what makes Tracker work? I will be doing a series of technical blog posts to explain that, starting wi...

Next
Xtreme VP Joins AppsforHealth Judges
Xtreme VP Joins AppsforHealth Judges

Mark D’Cunha, VP Mobile Solutions at Xtreme Labs, has been invited to join the judges panel for the Appsfor...

Enter curious. Exit smarter.

Register Now