diff --git a/Pipfile b/Pipfile
index 1cedb3f5..8d79d3aa 100644
--- a/Pipfile
+++ b/Pipfile
@@ -7,7 +7,6 @@ name = "pypi"
 tornado = "==5.0.2"
 webassets = "==0.12.1"
 Unipath = "==1.1"
-requests = "*"
 
 [dev-packages]
 pytest = "==3.6.0"
diff --git a/Pipfile.lock b/Pipfile.lock
index d4ccb88b..4edfecc2 100644
--- a/Pipfile.lock
+++ b/Pipfile.lock
@@ -1,7 +1,7 @@
 {
     "_meta": {
         "hash": {
-            "sha256": "68a0d5093979093899f0f86faa82eb55f90f9a67a16b11a5701ea85096e72ee8"
+            "sha256": "391e254ddb902877afca9c07aa2306710ce6d1e207b029c1a8b5dc0115ee99a5"
         },
         "pipfile-spec": 6,
         "requires": {
@@ -16,35 +16,6 @@
         ]
     },
     "default": {
-        "certifi": {
-            "hashes": [
-                "sha256:13e698f54293db9f89122b0581843a782ad0934a4fe0172d2a980ba77fc61bb7",
-                "sha256:9fa520c1bacfb634fa7af20a76bcbd3d5fb390481724c597da32c719a7dca4b0"
-            ],
-            "version": "==2018.4.16"
-        },
-        "chardet": {
-            "hashes": [
-                "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae",
-                "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691"
-            ],
-            "version": "==3.0.4"
-        },
-        "idna": {
-            "hashes": [
-                "sha256:2c6a5de3089009e3da7c5dde64a141dbc8551d5b7f6cf4ed7c2568d0cc520a8f",
-                "sha256:8c7309c718f94b3a625cb648ace320157ad16ff131ae0af362c9f21b80ef6ec4"
-            ],
-            "version": "==2.6"
-        },
-        "requests": {
-            "hashes": [
-                "sha256:6a1b267aa90cac58ac3a765d067950e7dbbf75b1da07e895d1f594193a40a38b",
-                "sha256:9c443e7324ba5b85070c4a818ade28bfabedf16ea10206da1132edaa6dda237e"
-            ],
-            "index": "pypi",
-            "version": "==2.18.4"
-        },
         "tornado": {
             "hashes": [
                 "sha256:1b83d5c10550f2653380b4c77331d6f8850f287c4f67d7ce1e1c639d9222fbc7",
@@ -64,13 +35,6 @@
             "index": "pypi",
             "version": "==1.1"
         },
-        "urllib3": {
-            "hashes": [
-                "sha256:06330f386d6e4b195fbfc736b297f58c5a892e4440e54d294d7004e3a9bbea1b",
-                "sha256:cc44da8e1145637334317feebd728bd869a35285b93cbb4cca2577da7e62db4f"
-            ],
-            "version": "==1.22"
-        },
         "webassets": {
             "hashes": [
                 "sha256:e7d9c8887343123fd5b32309b33167428cb1318cdda97ece12d0907fd69d38db"
diff --git a/atst/app.py b/atst/app.py
index 25721153..4c09faf0 100644
--- a/atst/app.py
+++ b/atst/app.py
@@ -12,51 +12,55 @@ from atst.handlers.dev import Dev
 from atst.home import home
 from atst.api_client import ApiClient
 
-
-routes = [
-    url(r"/", Login, {"page": "login"}, name="main"),
-    url(r"/login", Login, {"page": "login"}, name="login"),
-    url(r"/home", MainHandler, {"page": "home"}, name="home"),
-    url(r"/workspaces", Workspace, {"page": "workspaces"}, name="workspaces"),
-    url(r"/requests", Request, {"page": "requests"}, name="requests"),
-    url(r"/requests/new", RequestNew, {"page": "requests_new"}, name="request_new"),
-    url(
-        r"/requests/new/([0-9])",
-        RequestNew,
-        {"page": "requests_new"},
-        name="request_form",
-    ),
-    url(r"/users", MainHandler, {"page": "users"}, name="users"),
-    url(r"/reports", MainHandler, {"page": "reports"}, name="reports"),
-    url(r"/calculator", MainHandler, {"page": "calculator"}, name="calculator"),
-]
-
-env = os.getenv("TORNADO_ENV", "development")
-if not env == "production":
-    routes += [url(r"/login-dev", Dev, {"action": "login"}, name="dev-login")]
+ENV = os.getenv("TORNADO_ENV", "dev")
 
 def make_app(config):
 
-    authz_client = ApiClient(config['default']['AUTHZ_BASE_URL'])
+    authz_client = ApiClient(config["default"]["AUTHZ_BASE_URL"])
+
+    routes = [
+        url(r"/", Login, {"page": "login"}, name="main"),
+        url(r"/login", Login, {"page": "login"}, name="login"),
+        url(r"/home", MainHandler, {"page": "home"}, name="home"),
+        url(
+            r"/workspaces",
+            Workspace,
+            {"page": "workspaces", "authz_client": authz_client},
+            name="workspaces",
+        ),
+        url(r"/requests", Request, {"page": "requests"}, name="requests"),
+        url(r"/requests/new", RequestNew, {"page": "requests_new"}, name="request_new"),
+        url(
+            r"/requests/new/([0-9])",
+            RequestNew,
+            {"page": "requests_new"},
+            name="request_form",
+        ),
+        url(r"/users", MainHandler, {"page": "users"}, name="users"),
+        url(r"/reports", MainHandler, {"page": "reports"}, name="reports"),
+        url(r"/calculator", MainHandler, {"page": "calculator"}, name="calculator"),
+    ]
+
+    if not ENV == "production":
+        routes += [url(r"/login-dev", Dev, {"action": "login"}, name="dev-login")]
 
     app = tornado.web.Application(
         routes,
+        login_url="/login",
         template_path = home.child('templates'),
         static_path   = home.child('static'),
+        cookie_secret=config["default"]["COOKIE_SECRET"],
         debug=config['default'].getboolean('DEBUG')
     )
     return app
 
 
 def make_config():
-    BASE_CONFIG_FILENAME = os.path.join(
-        os.path.dirname(__file__),
-        '../config/base.ini',
-    )
+    BASE_CONFIG_FILENAME = os.path.join(os.path.dirname(__file__), "../config/base.ini")
     ENV_CONFIG_FILENAME = os.path.join(
         os.path.dirname(__file__),
-        '../config/',
-        '{}.ini'.format(os.getenv('TORNADO_ENV', 'dev').lower())
+        "../config/",
+        "{}.ini".format(ENV.lower()),
     )
     config = ConfigParser()
 
diff --git a/config/base.ini b/config/base.ini
index 98d53555..fb4a4daa 100644
--- a/config/base.ini
+++ b/config/base.ini
@@ -3,3 +3,4 @@ ENVIRONMENT = dev
 DEBUG = true
 AUTHZ_BASE_URL = http://localhost
 PORT = 8000
+COOKIE_SECRET = some-secret-please-replace