diff --git a/app/controllers/contexts_controller.rb b/app/controllers/contexts_controller.rb
index 4a9984b8..228434d5 100644
--- a/app/controllers/contexts_controller.rb
+++ b/app/controllers/contexts_controller.rb
@@ -133,7 +133,7 @@ class ContextsController < ApplicationController
       @active_contexts = @contexts.find(:all, { :conditions => ["hide = ?", false]})
       @hidden_contexts = @contexts.find(:all, { :conditions => ["hide = ?", true]})
       @down_count = @active_contexts.size + @hidden_contexts.size 
-      cookies[:mobile_url]=request.request_uri
+      cookies[:mobile_url]= {:value => request.request_uri, :secure => TRACKS_COOKIES_SECURE}
       render :action => 'index_mobile'
     end
   end
@@ -143,7 +143,7 @@ class ContextsController < ApplicationController
       @page_title = "TRACKS::List actions in "+@context.name
       @not_done = @not_done_todos.select {|t| t.context_id == @context.id } 
       @down_count = @not_done.size 
-      cookies[:mobile_url]=request.request_uri
+      cookies[:mobile_url]= {:value => request.request_uri, :secure => TRACKS_COOKIES_SECURE}
       @mobile_from_context = @context.id
       render :action => 'mobile_show_context'
     end
diff --git a/app/controllers/login_controller.rb b/app/controllers/login_controller.rb
index d6d41f4b..a9b7e8be 100644
--- a/app/controllers/login_controller.rb
+++ b/app/controllers/login_controller.rb
@@ -20,10 +20,10 @@ class LoginController < ApplicationController
           session['noexpiry'] = params['user_noexpiry']
           msg = (should_expire_sessions?) ? "will expire after 1 hour of inactivity." : "will not expire." 
           notify :notice, "Login successful: session #{msg}"
-          cookies[:tracks_login] = { :value => @user.login, :expires => Time.now + 1.year }
+          cookies[:tracks_login] = { :value => @user.login, :expires => Time.now + 1.year, :secure => TRACKS_COOKIES_SECURE }
           unless should_expire_sessions?
             @user.remember_me
-            cookies[:auth_token] = { :value => @user.remember_token , :expires => @user.remember_token_expires_at }
+            cookies[:auth_token] = { :value => @user.remember_token , :expires => @user.remember_token_expires_at, :secure => TRACKS_COOKIES_SECURE }
           end
           redirect_back_or_home
           return
@@ -94,12 +94,12 @@ class LoginController < ApplicationController
           session['noexpiry'] = session['user_noexpiry']
           msg = (should_expire_sessions?) ? "will expire after 1 hour of inactivity." : "will not expire." 
           notify :notice, "You have successfully verified #{openid_url} as your identity. Login successful: session #{msg}"
-          cookies[:tracks_login] = { :value => @user.login, :expires => Time.now + 1.year }
+          cookies[:tracks_login] = { :value => @user.login, :expires => Time.now + 1.year, :secure => TRACKS_COOKIES_SECURE }
           unless should_expire_sessions?
             @user.remember_me
-            cookies[:auth_token] = { :value => @user.remember_token , :expires => @user.remember_token_expires_at }
+            cookies[:auth_token] = { :value => @user.remember_token , :expires => @user.remember_token_expires_at, :secure => TRACKS_COOKIES_SECURE }
           end
-          cookies[:openid_url] = { :value => openid_url, :expires => Time.now + 1.year }
+          cookies[:openid_url] = { :value => openid_url, :expires => Time.now + 1.year, :secure => TRACKS_COOKIES_SECURE }
           redirect_back_or_home
         else
           notify :warning, "You have successfully verified #{openid_url} as your identity, but you do not have a Tracks account. Please ask your administrator to sign you up."
diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index 3889b8bd..da268803 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -204,7 +204,7 @@ class ProjectsController < ApplicationController
       @hidden_projects = @projects.select{ |p| p.hidden? }
       @completed_projects = @projects.select{ |p| p.completed? }
       @down_count = @active_projects.size + @hidden_projects.size + @completed_projects.size 
-      cookies[:mobile_url]=request.request_uri
+      cookies[:mobile_url]= {:value => request.request_uri, :secure => TRACKS_COOKIES_SECURE}
       render :action => 'index_mobile'
     end
   end
@@ -217,7 +217,7 @@ class ProjectsController < ApplicationController
         @project_default_context = "The default context for this project is "+
           @project.default_context.name
       end
-      cookies[:mobile_url]=request.request_uri
+      cookies[:mobile_url]= {:value => request.request_uri, :secure => TRACKS_COOKIES_SECURE}
       @mobile_from_project = @project.id
       render :action => 'project_mobile'
     end
diff --git a/app/controllers/todos_controller.rb b/app/controllers/todos_controller.rb
index 49d9d0ca..bb72723b 100644
--- a/app/controllers/todos_controller.rb
+++ b/app/controllers/todos_controller.rb
@@ -229,7 +229,7 @@ class TodosController < ApplicationController
       format.m do
         if @saved
           if cookies[:mobile_url]
-            cookies[:mobile_url] = nil
+            cookies[:mobile_url] = {:value => nil, :secure => TRACKS_COOKIES_SECURE}
             redirect_to cookies[:mobile_url]
           else
             redirect_to formatted_todos_path(:m)
@@ -370,7 +370,7 @@ class TodosController < ApplicationController
         @default_project_context_name_map = build_default_project_context_name_map(@projects).to_json
       }
       format.m { 
-        cookies[:mobile_url]=request.request_uri
+        cookies[:mobile_url]= {:value => request.request_uri, :secure => TRACKS_COOKIES_SECURE}
         render :action => "mobile_tag"         
       }
     end
@@ -608,7 +608,7 @@ class TodosController < ApplicationController
     lambda do
       @page_title = "All actions"
       @home = true
-      cookies[:mobile_url]=request.request_uri
+      cookies[:mobile_url]= { :value => request.request_uri, :secure => TRACKS_COOKIES_SECURE}
       determine_down_count
     
       render :action => 'index'
diff --git a/config/environment.rb.tmpl b/config/environment.rb.tmpl
index 903df142..d8123647 100644
--- a/config/environment.rb.tmpl
+++ b/config/environment.rb.tmpl
@@ -93,6 +93,8 @@ if (AUTHENTICATION_SCHEMES.include? 'open_id')
   #requires ruby-openid gem to be installed
 end
 
+# setting this to true will make the cookies only available over HTTPS
+TRACKS_COOKIES_SECURE = false  
 
 MOBILE_CONTENT_TYPE = 'tracks/mobile'
 Mime::Type.register(MOBILE_CONTENT_TYPE, :m)
diff --git a/lib/login_system.rb b/lib/login_system.rb
index 388ef63a..92128422 100644
--- a/lib/login_system.rb
+++ b/lib/login_system.rb
@@ -48,7 +48,7 @@ module LoginSystem
       session['user_id'] = user.id
       set_current_user(user)
       current_user.remember_me
-      cookies[:auth_token] = { :value => current_user.remember_token , :expires => current_user.remember_token_expires_at }
+      cookies[:auth_token] = { :value => current_user.remember_token , :expires => current_user.remember_token_expires_at, :secure => TRACKS_COOKIES_SECURE }
       flash[:notice] = "Logged in successfully. Welcome back!"
     end
   end