Reputation: 45
Secure Cookies on http requests
What happens to secure cookies on http requests. will it be lost over the request? What will happen if the cookie is a secure auth cookie?
Upvotes: 0
Views: 406
Answers (1)
Reputation: 8270
RFC 6265 formalizes the behavior of HTTP cookies (as they work in the real world, not as they should ideally work, unlike some previous failed RFC):
- Introduction
This document defines the HTTP Cookie and Set-Cookie header fields.
The description of the behavior of the "secure" flag follows:
4.1.2.5. The Secure Attribute
The Secure attribute limits the scope of the cookie to "secure"
channels (where "secure" is defined by the user agent). When a
cookie has the Secure attribute, the user agent will include the
cookie in an HTTP request only if the request is transmitted over a
secure channel (typically HTTP over Transport Layer Security (TLS)
[RFC2818]).
In practice only connections over TLS (that is, HTTP/S) are considered secure. Browsers could conceivably define direct HTTP connections to host "localhost" or an IP address that is by definition "local" (address of that IP stack), like 127.0.0.1 or ::1, or other local addresses, as secure. That would be in the spirit of the specification. (I don't know browsers that actually do so.)
Upvotes: 2
Related Questions
- how to make curl accept secure cookies overt http connection
- Reading cookies via HTTPS that were set using HTTP
- HTTP Cookies and Ajax requests over HTTPS
- Insecure HTTP cookies
- Session Cookie secure/httponly
- cookie passing over HTTPS connection
- Is cookie in https secure?
- Is a cookie secure in a HTTPS connection?
- cookies - the misunderstanding
- are cookies secure from hijacking over http