How does cookie “Secure” flag work?

by

The client sets this only for encrypted connections and this is defined in RFC 6265:

The Secure attribute limits the scope of the cookie to “secure” channels (where “secure” is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS) [RFC2818]).

Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie’s confidentiality. An active network attacker can overwrite Secure cookies from an insecure channel, disrupting their integrity (see Section 8.6 for more details).

More Related Contents:

  1. What is the difference between server side cookie and client side cookie?
  2. Is a URL with // in the path-section valid?
  3. Share cookie between subdomain and domain
  4. How do browser cookie domains work?
  5. How to detect server-side whether cookies are disabled
  6. Why is it common to put CSRF prevention tokens in cookies?
  7. How to handle multiple cookies with the same name?
  8. Correct way to delete cookies server-side
  9. Cookie handling in Google Apps Script – How to send cookies in header?
  10. Why can’t I set a cookie and redirect?
  11. How are cookies passed in the HTTP protocol?
  12. How do I create a persistent vs a non-persistent cookie?
  13. Save cookies between two curl requests
  14. Domain set cookie for subdomain
  15. Share cookies between subdomain and domain
  16. Share a cookie between two websites
  17. Reading cookies via HTTPS that were set using HTTP
  18. Sending browser cookies during a 302 redirect
  19. Should cookie values be URL encoded?
  20. Is it possible to set more than one cookie with a single Set-Cookie?
  21. REST HTTP status codes for failed validation or invalid duplicate
  22. How to $http Synchronous call with AngularJS
  23. Why is it said that “HTTP is a stateless protocol”?
  24. How do I make an http request using cookies on Android?
  25. Angular2 http.get() ,map(), subscribe() and observable pattern – basic understanding
  26. Why shouldn’t data be modified on an HTTP GET request?
  27. How to use angular2 http API for tracking upload/download progress
  28. Doing a HTTP PUT from a browser
  29. Custom HTTP Authorization Header
  30. Multiple HTTP Authorization headers?

Leave a Comment