Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How does cookie "Secure" flag work?

Tags:

http

cookies

session-cookies

I know that a cookie with secure flag won't be sent via an unencrypted connection. I wonder how this works in-depth.

Who is responsible for determining whether the cookie will be sent or not?

like image 893
ted Avatar asked Dec 05 '12 18:12

ted

People also ask

What does setting the secure flag on a cookie do?

Overview. The secure attribute is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure attribute is to prevent cookies from being observed by unauthorized parties due to the transmission of the cookie in clear text.

How do I know if my flag cookie is secure?

Press F12, go to the network tab, and then press Start Capturing. Back in IE then open the page you want to view. Back in the F12 window you show see all the individual HTTP requests, select the one that's the page or asset you're checking the cookies on and double click on it.

How do you set a secure flag on SSL cookies?

Launch Google Chrome and go to either WEB or CAWEB portal website. Press F12 (from Keyboard) to launch Developer Tools. Go to Application tab -> Cookies ( left Panel) and ensure the Secure column was ticked.

What is the difference between HttpOnly and secure flag?

HttpOnly and secure flags can be used to make the cookies more secure. When a secure flag is used, then the cookie will only be sent over HTTPS, which is HTTP over SSL/TLS.

2 Answers

The client sets this only for encrypted connections and this is defined in RFC 6265:

The Secure attribute limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS) [RFC2818]).

Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie's confidentiality. An active network attacker can overwrite Secure cookies from an insecure channel, disrupting their integrity (see Section 8.6 for more details).

like image 114
Cratylus Avatar answered Sep 28 '22 04:09

Cratylus

Just another word on the subject:

Omitting secure because your website example.com is fully https is not enough.

If your user is explicitly reaching http://example.com, they will be redirected to https://example.com but that's too late already; the first request contained the cookie.

like image 38
Alain Tiemblo Avatar answered Sep 28 '22 04:09

Alain Tiemblo
Sign in to Comment

Related questions

SecurityException: Permission denied (missing INTERNET permission?)
How to redirect user's browser URL to a different page in Nodejs?
HAProxy redirecting http to https (ssl)
Can I use an at symbol (@) inside URLs?
Python send POST with header
How to POST JSON request using Apache HttpClient?
Chrome hangs after certain amount of data transfered - waiting for available socket
REST API - Bulk Create or Update in single request [closed]
RESTful - What should a DELETE response body contain
When serving JavaScript files, is it better to use the application/javascript or application/x-javascript
HTTP status code 0 - Error Domain=NSURLErrorDomain?
nodejs - first argument must be a string or Buffer - when using response.write with http.request
Can we create custom HTTP Status codes?
Correct way to set Bearer token with CURL
How to set a timeout on a http.request() in Node?
How to handle multiple cookies with the same name?
How can I make a multipart/form-data POST request using Java?
How to send line break with curl?
Transfer-Encoding: gzip vs. Content-Encoding: gzip
Keep-alive header clarification

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!