Can cookies set using HTTP be read using HTTPS?
Cookies can't be shared between domains so the http and https pages would need to be on thesame domain as a minimum (which would mean having your own dedicated IP address and security certificate for your domain.
The whole point of HttpOnly cookies is that they can't be accessed by JavaScript. The only way (except for exploiting browser bugs) for your script to read them is to have a cooperating script on the server that will read the cookie value and echo it back as part of the response content.
Conclusion. Security of cookies is an important subject. HttpOnly and secure flags can be used to make the cookies more secure. When a secure flag is used, then the cookie will only be sent over HTTPS, which is HTTP over SSL/TLS.
Whenever the browser sends a request to a server, it also sends any cookies that are relevant to that server. Cookies are transmitted using header fields in the HTTP protocol.
Cookies set with the "Secure" keyword will only be sent by the browser when connecting by a secure means (HTTPS). Apart from that there is no distinction - if "secure" is absent, the cookie may be sent over an insecure connection.
In other words, cookies that you want to protect the contents of should use the secure keyword and you should only send them from the server to the browser when the user connects via HTTPS.
Reference: RFC 2109 See 4.2.2 (page 4), 4.3.1
Note: It is no longer possible to set "secure" cookies over insecure (e.g. HTTP) origins on Firefox and Chrome after they implemented the Strict Secure Cookies specification.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With