I know that a cookie with secure
flag won't be sent via an unencrypted connection. I wonder how this works in-depth.
Who is responsible for determining whether the cookie will be sent or not?
Overview. The secure attribute is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure attribute is to prevent cookies from being observed by unauthorized parties due to the transmission of the cookie in clear text.
Press F12, go to the network tab, and then press Start Capturing. Back in IE then open the page you want to view. Back in the F12 window you show see all the individual HTTP requests, select the one that's the page or asset you're checking the cookies on and double click on it.
Launch Google Chrome and go to either WEB or CAWEB portal website. Press F12 (from Keyboard) to launch Developer Tools. Go to Application tab -> Cookies ( left Panel) and ensure the Secure column was ticked.
HttpOnly and secure flags can be used to make the cookies more secure. When a secure flag is used, then the cookie will only be sent over HTTPS, which is HTTP over SSL/TLS.
The client sets this only for encrypted connections and this is defined in RFC 6265:
The Secure attribute limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS) [RFC2818]).
Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie's confidentiality. An active network attacker can overwrite Secure cookies from an insecure channel, disrupting their integrity (see Section 8.6 for more details).
Just another word on the subject:
Omitting secure
because your website example.com
is fully https is not enough.
If your user is explicitly reaching http://example.com
, they will be redirected to https://example.com
but that's too late already; the first request contained the cookie.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With