Cookies with a Secure Flag?

350945 pts.
Tags:
Cookies
HTTPS
I'm doing some research on HTTPS encryption and from what I understand, it looks like cookies can be sent unencrypted over HTTP even if the site is only using HTTPS if they have something called a "secure flag".  What does that mean?  My site only uses HTTPS, so this seems important.

Answer Wiki

Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Discuss This Question: 1  Reply

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Kevin Beaver
    I see this flaw, albeit a non-critical one in most situations, quite often. It means exactly what you said - cookies can be transmitted via HTTP which might be a good thing if you're trying to protect the user session or whatever is inside the cookies.

    If you're enforcing HTTPS across your site, it shouldn't be an issue. In the event HTTPS is not being used everywhere, then simply marking the cookie as 'secure' or 'requireSSL' solves the problem and only allows cookies to be transmitted over SSL.

    For further info, check this out:
    https://www.owasp.org/index.php/SecureFlag
    17,385 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following