Reputation: 33
Is it compulsory to add Secure Flag to a Cookie over HTTPS
Till know my site is only HTTPS and I have added cookie.SecureFlag = true . I want to open it for HTTP as well so I'm forced to remove SecureFlag to a cookie as It is not working over it. Can you please tell me will my cookie sent through HTTPS (SSL) needs a secure Flag? Will it be secured without it as well?
Upvotes: 0
Views: 1230
Answers (1)
Reputation: 1038810
If you set the secure flag the cookie will only be sent to HTTPS endpoint. If you need to send the cookie to non-secure endpoints you should not use this flag although you should probably revise your design as it is considered bad practice to send authentication cookies over a non encrypted channel.
Bare in mind that it is not the secure flag that is actually securing anything inside the cookie. It is the SSL encryption which ensures that a man-in-the-middle will not be able to decrypt the value of the traffic. The secure flag only ensures that the browser will transmit the cookie over SSL.
Upvotes: 1
Related Questions
- Secure Flag for ASPXAUTH Cookie
- Secure flag for ASPXAUTH Cookie in MVC
- How can I set the 'secure' flag for cookies in an ASP.NET MVC website?
- ASP MVC 3 cookie losing HttpOnly and Secure flags
- Do we need to secure the cookie .ASPXANONYMOUS
- Cookies secure flag in IE and Chrome browser
- Secure Cookies in ASP.NET
- Secure session cookies in ASP.NET over HTTPS
- ASP.NET Securing Cookie on HTTP and HTTPS
- How to create a Cookie using SSL pages?