Can cookies set using HTTP be read using HTTPS?
Asked
Active
Viewed 4.4k times
1 Answers
109
Cookies set with the "Secure" keyword will only be sent by the browser when connecting by a secure means (HTTPS). Apart from that there is no distinction - if "secure" is absent, the cookie may be sent over an insecure connection.
In other words, cookies that you want to protect the contents of should use the secure keyword and you should only send them from the server to the browser when the user connects via HTTPS.
- HTTP: Cookie with "Secure" will be returned only on HTTPS connections (pointless to do, see note below)
- HTTPS: Cookie with "Secure" will be returned only on HTTPS connections
- HTTP: Cookie without "Secure" will be returned on HTTP or HTTPS connections
- HTTPS: Cookie without "Secure" will be returned on HTTP or HTTPS connections (could leak secure information)
Reference: RFC 2109 See 4.2.2 (page 4), 4.3.1
Note: It is no longer possible to set "secure" cookies over insecure (e.g. HTTP) origins on Firefox and Chrome after they implemented the Strict Secure Cookies specification.
richq
- 55,548
- 20
- 150
- 144
-
Good info... is there a spec or other reference somewhere that has this information? – Daniel Schaffer Jan 29 '10 at 18:08
-
Good ol' RFC2109 http://www.w3.org/Protocols/rfc2109/rfc2109 Note that "HTTPS" is not mentioned, that is left unspecified there. – richq Jan 29 '10 at 18:16
-
awesome, this answer is what I looked for. – webblover Feb 07 '17 at 12:35
-
@richq **HTTPS Cookie**; you mean normal HTTP cookie with "secure" flag or cookie that is created in HTTPS connection? – webblover Feb 07 '17 at 12:39
-
@webblover hopefully the edit clears it up. I mean HTTP or HTTPS connections, then the cookie set with/without secure. – richq Feb 07 '17 at 13:42