Is a cookie secure in a HTTPS connection?

Question

Is a cookie secure in a HTTPS connection?

Answer 1

It is transmitted to and from the server encrypted, so it's as secure as TLS is.

You can also flag a cookie as being intended only for client->server communication, and block access from client-side Javascript, by adding the "HttpOnly" flag in the "Set-cookie" response header.

edit — and as @Bruno suggests, you can also use the "secure" flag (in the same header) to tell the browser that the cookie should only be sent back to the server in https requests. As @D.W. points out in a newer comment, that can be quite important, as you almost certainly don't want your important secured cookies probably to be transmitted on unsecured interactions (say, prior to login from a non-secure public portion of a site). If all the interactions with a particular cookie domain are HTTPS, then that might not be necessary, but it's such a simple thing that there's no reason not to do it.

edit — update, a long time later: use the secure flag :)

Answer 2

Cookies are sent within the HTTP header. Thus they are as secure as the HTTPS connection which depends on a lot of SSL/TLS parameters like cipher strength or length of the public key.

Please keep in mind that unless you set the Secure flag for your Cookie, the Cookie can be transmitted over an unsecure HTTP connection. There are man-in-the-middle attacks that use such unsecure Cookies to steal session information. So, unless you have a good reason not to, always set the Secure flag for Cookies when you want them only transmitted over HTTPS.

Answer 3

In the connection, yes. But It's still stored on the client's machine unencrypted.