How does cookie "Secure" flag work?

http cookies session-cookies
ted picture ted · Dec 5, 2012 · Viewed 97.8k times · Source

I know that a cookie with secure flag won't be sent via an unencrypted connection. I wonder how this works in-depth.

Who is responsible for determining whether the cookie will be sent or not?

Answer

Cratylus picture Cratylus · Dec 5, 2012

The client sets this only for encrypted connections and this is defined in RFC 6265:

The Secure attribute limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS) [RFC2818]).

Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie's confidentiality. An active network attacker can overwrite Secure cookies from an insecure channel, disrupting their integrity (see Section 8.6 for more details).

Related questions

What is the difference between server side cookie and client side cookie?

What is the difference between creating cookies on the server and on the client? Are these called server side cookies and client side cookies? Is there a way to create cookies that can only be read on the server or …

Read More
Is a URL with // in the path-section valid?

I have a question regarding URLs: I've read the RFC 3986 and still have a question about one URL: If a URI contains an authority component, then the path component must either be empty or begin with a slash ("/") character. If …

Read More
Share cookie between subdomain and domain

I have two questions. I understand that if I specify the domain as .mydomain.com (with the leading dot) in the cookie that all subdomains can share a cookie. Can subdomain.mydomain.com access a cookie created in mydomain.com (…

Read More