Reading cookies via HTTPS that were set using HTTP

by

Cookies set with the “Secure” keyword will only be sent by the browser when connecting by a secure means (HTTPS). Apart from that there is no distinction – if “secure” is absent, the cookie may be sent over an insecure connection.

In other words, cookies that you want to protect the contents of should use the secure keyword and you should only send them from the server to the browser when the user connects via HTTPS.

  • HTTP: Cookie with “Secure” will be returned only on HTTPS connections (pointless to do, see note below)
  • HTTPS: Cookie with “Secure” will be returned only on HTTPS connections
  • HTTP: Cookie without “Secure” will be returned on HTTP or HTTPS connections
  • HTTPS: Cookie without “Secure” will be returned on HTTP or HTTPS connections (could leak secure information)

Reference: RFC 2109
See 4.2.2 (page 4), 4.3.1

Note: It is no longer possible to set “secure” cookies over insecure (e.g. HTTP) origins on Firefox and Chrome after they implemented the Strict Secure Cookies specification.

More Related Contents:

  1. Share cookie between subdomain and domain
  2. Can I change all my http:// links to just //?
  3. How do browser cookie domains work?
  4. How to detect server-side whether cookies are disabled
  5. http to https through .htaccess
  6. Why is it common to put CSRF prevention tokens in cookies?
  7. Why am I suddenly getting a “Blocked loading mixed active content” issue in Firefox?
  8. Dealing with HTTP content in HTTPS pages
  9. Is there any downside for using a leading double slash to inherit the protocol in a URL? i.e. src=”//domain.com”
  10. How to handle multiple cookies with the same name?
  11. Easy HTTP requests with gzip/deflate compression
  12. Ideal HTTP cache control headers for different types of resources
  13. Correct way to delete cookies server-side
  14. Max memory usage of a chrome process (tab) & how do I increase it?
  15. URL without “http|https”
  16. Why can’t I set a cookie and redirect?
  17. How are cookies passed in the HTTP protocol?
  18. Save cookies between two curl requests
  19. Are Callable Cloud Functions better than HTTP functions?
  20. How does cookie “Secure” flag work?
  21. HTTP and HTTPS iframe
  22. Domain set cookie for subdomain
  23. Share cookies between subdomain and domain
  24. Sending browser cookies during a 302 redirect
  25. Correctly switching between HTTP and HTTPS using .htaccess
  26. What is the difference between server side cookie and client side cookie?
  27. Is a URL with // in the path-section valid?
  28. What is the proper HTTP response to send for requests that require SSL/TLS
  29. HTTPS Proxy Server in node.js
  30. htaccess redirect for non-www both http and https

Leave a Comment