Why not always use HTTPOnly and Secure cookie flags?

Question

The Secure cookie flag stops cookies being sent over HTTP. The HTTPOnly flag stops JavaScript from accessing cookies.

Is it a realistic guideline that HTTPS only sites always use Secure and HTTPOnly cookies? What about mixed HTTPS and HTTP sites? What are the disadvantages?

Obviously if you need the cookie on both your HTTPS and HTTP pages, as well as JavaScript access for your site to work you couldn't use those flags, but would a well designed site ever need to do this?

Answer 1

There is a similar question on the Information Security stackexchange site. Jonathan's answer includes the following - "For HTTP Only, you might want javascript to interact with the cookie. Maybe you track page state in a cookie, write to the cookie with JS, and read from JS." In other words, HTTPOnly can interfere if you want to maintain a user's UI preferences across sessions using cookies.

Answer 2

Is it a realistic guideline that HTTPS only sites always use Secure and HTTPOnly cookies?

Yes.

What about mixed HTTPS and HTTP sites?

Don't create mixed HTTPS/HTTP sites. Just… don't.

CPU is no longer so expensive that using HTTPS everywhere is a serious overhead. Search engines treat HTTPS-only as a positive ranking indicator.

What are the disadvantages?

There aren't any.

If you really need to access a cookie from plain HTTP or from JS, then you can turn off the setting. That's the point of guidelines, you can break them when there is a good reason. There just very rarely is in this case.