Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Reading cookies via HTTPS that were set using HTTP

Can cookies set using HTTP be read using HTTPS?

like image 784
Daniel Schaffer Avatar asked Jan 29 '10 17:01

Daniel Schaffer


People also ask

Can cookies be shared between http and https?

Cookies can't be shared between domains so the http and https pages would need to be on thesame domain as a minimum (which would mean having your own dedicated IP address and security certificate for your domain.

How do I read HTTP cookies?

The whole point of HttpOnly cookies is that they can't be accessed by JavaScript. The only way (except for exploiting browser bugs) for your script to read them is to have a cooperating script on the server that will read the cookie value and echo it back as part of the response content.

Does HttpOnly work over HTTPS?

Conclusion. Security of cookies is an important subject. HttpOnly and secure flags can be used to make the cookies more secure. When a secure flag is used, then the cookie will only be sent over HTTPS, which is HTTP over SSL/TLS.

Are cookies sent over HTTP?

Whenever the browser sends a request to a server, it also sends any cookies that are relevant to that server. Cookies are transmitted using header fields in the HTTP protocol.


1 Answers

Cookies set with the "Secure" keyword will only be sent by the browser when connecting by a secure means (HTTPS). Apart from that there is no distinction - if "secure" is absent, the cookie may be sent over an insecure connection.

In other words, cookies that you want to protect the contents of should use the secure keyword and you should only send them from the server to the browser when the user connects via HTTPS.

  • HTTP: Cookie with "Secure" will be returned only on HTTPS connections (pointless to do, see note below)
  • HTTPS: Cookie with "Secure" will be returned only on HTTPS connections
  • HTTP: Cookie without "Secure" will be returned on HTTP or HTTPS connections
  • HTTPS: Cookie without "Secure" will be returned on HTTP or HTTPS connections (could leak secure information)

Reference: RFC 2109 See 4.2.2 (page 4), 4.3.1

Note: It is no longer possible to set "secure" cookies over insecure (e.g. HTTP) origins on Firefox and Chrome after they implemented the Strict Secure Cookies specification.

like image 118
richq Avatar answered Oct 01 '22 06:10

richq