Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How does cookie "Secure" flag work?

I know that a cookie with secure flag won't be sent via an unencrypted connection. I wonder how this works in-depth.

Who is responsible for determining whether the cookie will be sent or not?

like image 893
ted Avatar asked Dec 05 '12 18:12

ted


People also ask

What does setting the secure flag on a cookie do?

Overview. The secure attribute is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure attribute is to prevent cookies from being observed by unauthorized parties due to the transmission of the cookie in clear text.

How do I know if my flag cookie is secure?

Press F12, go to the network tab, and then press Start Capturing. Back in IE then open the page you want to view. Back in the F12 window you show see all the individual HTTP requests, select the one that's the page or asset you're checking the cookies on and double click on it.

How do you set a secure flag on SSL cookies?

Launch Google Chrome and go to either WEB or CAWEB portal website. Press F12 (from Keyboard) to launch Developer Tools. Go to Application tab -> Cookies ( left Panel) and ensure the Secure column was ticked.

What is the difference between HttpOnly and secure flag?

HttpOnly and secure flags can be used to make the cookies more secure. When a secure flag is used, then the cookie will only be sent over HTTPS, which is HTTP over SSL/TLS.


2 Answers

The client sets this only for encrypted connections and this is defined in RFC 6265:

The Secure attribute limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS) [RFC2818]).

Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie's confidentiality. An active network attacker can overwrite Secure cookies from an insecure channel, disrupting their integrity (see Section 8.6 for more details).

like image 114
Cratylus Avatar answered Sep 28 '22 04:09

Cratylus


Just another word on the subject:

Omitting secure because your website example.com is fully https is not enough.

If your user is explicitly reaching http://example.com, they will be redirected to https://example.com but that's too late already; the first request contained the cookie.

like image 38
Alain Tiemblo Avatar answered Sep 28 '22 04:09

Alain Tiemblo