Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is a cookie secure in a HTTPS connection?

Tags:

php

cookies

Is a cookie secure in a HTTPS connection?

like image 648
Castro Roy Avatar asked Oct 25 '10 14:10

Castro Roy


People also ask

Are cookies secure in HTTPS?

Cookies are sent within the HTTP header. Thus they are as secure as the HTTPS connection which depends on a lot of SSL/TLS parameters like cipher strength or length of the public key. Please keep in mind that unless you set the Secure flag for your Cookie, the Cookie can be transmitted over an unsecure HTTP connection.

How secure is a cookie?

Since the data in cookies doesn't change, cookies themselves aren't harmful. They can't infect computers with viruses or other malware. However, some cyberattacks can hijack cookies and enable access to your browsing sessions. The danger lies in their ability to track individuals' browsing histories.

Can HTTP overwrite HTTPS cookies?

Strict secure cookies So http://example.com/ can't overwrite a secure cookie on https://example.com/, something which was possible before. After the specification was finalized, this new behavior was soon implemented in browsers, and in modern browsers secure cookies can no longer be overwritten.

How do you check whether the cookie is set only to transmit over HTTPS or SSL channel?

Modern web browsers support a secure flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS.


1 Answers

It is transmitted to and from the server encrypted, so it's as secure as TLS is.

You can also flag a cookie as being intended only for client->server communication, and block access from client-side Javascript, by adding the "HttpOnly" flag in the "Set-cookie" response header.

edit — and as @Bruno suggests, you can also use the "secure" flag (in the same header) to tell the browser that the cookie should only be sent back to the server in https requests. As @D.W. points out in a newer comment, that can be quite important, as you almost certainly don't want your important secured cookies probably to be transmitted on unsecured interactions (say, prior to login from a non-secure public portion of a site). If all the interactions with a particular cookie domain are HTTPS, then that might not be necessary, but it's such a simple thing that there's no reason not to do it.

edit — update, a long time later: use the secure flag :)

like image 87
Pointy Avatar answered Sep 23 '22 13:09

Pointy