Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is a cookie secure in a HTTPS connection?

Tags:

php

cookies

Is a cookie secure in a HTTPS connection?

like image 648
Castro Roy Avatar asked Oct 25 '10 14:10

Castro Roy

People also ask

Are cookies secure in HTTPS?

Cookies are sent within the HTTP header. Thus they are as secure as the HTTPS connection which depends on a lot of SSL/TLS parameters like cipher strength or length of the public key. Please keep in mind that unless you set the Secure flag for your Cookie, the Cookie can be transmitted over an unsecure HTTP connection.

How secure is a cookie?

Since the data in cookies doesn't change, cookies themselves aren't harmful. They can't infect computers with viruses or other malware. However, some cyberattacks can hijack cookies and enable access to your browsing sessions. The danger lies in their ability to track individuals' browsing histories.

Can HTTP overwrite HTTPS cookies?

Strict secure cookies So http://example.com/ can't overwrite a secure cookie on https://example.com/, something which was possible before. After the specification was finalized, this new behavior was soon implemented in browsers, and in modern browsers secure cookies can no longer be overwritten.

How do you check whether the cookie is set only to transmit over HTTPS or SSL channel?

Modern web browsers support a secure flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS.

1 Answers

It is transmitted to and from the server encrypted, so it's as secure as TLS is.

You can also flag a cookie as being intended only for client->server communication, and block access from client-side Javascript, by adding the "HttpOnly" flag in the "Set-cookie" response header.

edit — and as @Bruno suggests, you can also use the "secure" flag (in the same header) to tell the browser that the cookie should only be sent back to the server in https requests. As @D.W. points out in a newer comment, that can be quite important, as you almost certainly don't want your important secured cookies probably to be transmitted on unsecured interactions (say, prior to login from a non-secure public portion of a site). If all the interactions with a particular cookie domain are HTTPS, then that might not be necessary, but it's such a simple thing that there's no reason not to do it.

edit — update, a long time later: use the secure flag :)

like image 87
Pointy Avatar answered Sep 23 '22 13:09

Pointy
Sign in to Comment

Related questions

How to get the base domain name from an URL using PHP?
Destroy PHP Session on closing
do I need to use exit after header("Location: http://localhost/...");?
What is the difference between == and === in php [duplicate]
CURLOPT_FOLLOWLOCATION cannot be activated [duplicate]
MySQL error when inserting data containing apostrophes (single quotes)?
How to debug PHP in eclipse in an external browser rather than internal?
Multi Threading / Multi Tasking in PHP
Java equivalent to php die
Get base product image in Magento
How would you add a file upload to a Symfony2 DataFixture?
PHP Error encountered when running Command Line using CodeIgniter 2.xx
Why is WordPress showing query results from an empty post__in array?
Get the raw request using PHP
How change view folder in Laravel5?
Scenario vs. Scenario Outline
get_headers(): SSL operation failed with code 1
WhereNotExists Laravel Eloquent
Include whole content of a file and echo it
What does the "Add DROP TABLE / VIEW / PROCEDURE / FUNCTION" checkbox do in phpmyadmin

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!