Is a cookie secure in a HTTPS connection?
Cookies are sent within the HTTP header. Thus they are as secure as the HTTPS connection which depends on a lot of SSL/TLS parameters like cipher strength or length of the public key. Please keep in mind that unless you set the Secure flag for your Cookie, the Cookie can be transmitted over an unsecure HTTP connection.
Since the data in cookies doesn't change, cookies themselves aren't harmful. They can't infect computers with viruses or other malware. However, some cyberattacks can hijack cookies and enable access to your browsing sessions. The danger lies in their ability to track individuals' browsing histories.
Strict secure cookies So http://example.com/ can't overwrite a secure cookie on https://example.com/, something which was possible before. After the specification was finalized, this new behavior was soon implemented in browsers, and in modern browsers secure cookies can no longer be overwritten.
Modern web browsers support a secure flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS.
It is transmitted to and from the server encrypted, so it's as secure as TLS is.
You can also flag a cookie as being intended only for client->server communication, and block access from client-side Javascript, by adding the "HttpOnly" flag in the "Set-cookie" response header.
edit — and as @Bruno suggests, you can also use the "secure" flag (in the same header) to tell the browser that the cookie should only be sent back to the server in https requests. As @D.W. points out in a newer comment, that can be quite important, as you almost certainly don't want your important secured cookies probably to be transmitted on unsecured interactions (say, prior to login from a non-secure public portion of a site). If all the interactions with a particular cookie domain are HTTPS, then that might not be necessary, but it's such a simple thing that there's no reason not to do it.
edit — update, a long time later: use the secure
flag :)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With