Reputation: 17309
Should non-secure cookies be sent over HTTPS?
I'm writing code to determine if a given cookie should be set on requests for a given URL and am currently considering the secure attribute.
I understand that a cookie marked as secure must be sent over HTTPS and must not be sent over HTTP.
I'm not clear on whether a cookie that is not explicitly marked as secure can be sent over HTTPS.
Should cookies not marked as secure be sent over HTTPS?
Or, in other words, can you complete the following table?
Secure attribute value | Request URL scheme | Allow cookie to be set?
=====================================================================
true | HTTPS | Yes
true | HTTP | No
false (or not set) | HTTPS | ?
false (or not set) | HTTP | Yes
Upvotes: 1
Views: 1174
Answers (1)
Reputation: 5015
Non-secure cookies can be sent over HTTPS. The secure flag is simply a way of instructing browsers to not send them across HTTP. They do not have to honour this, although I think all major browsers do.
They will happily send a non-secure cookie across HTTP though.
Upvotes: 1
Related Questions
- HTTP Cookies and Ajax requests over HTTPS
- Secure Cookies on http requests
- HTTPS only for the login page - Is it recommended?
- Is cookie in https secure?
- What are the implications of sending cookies over secure connections in PHP
- Do I need to sign/encrypt cookies if I am using SSL?
- Why do browsers accept secure cookies sent over a non-secure (HTTP) connection?
- Cookie security when passed over SSL
- Is a cookie secure in a HTTPS connection?
- What are the risks of storing a user password in a Cookie, when the connection is via https?