Cookies with a Secure Flag?

409350 pts.
Tags:
Cookies
HTTPS
I'm doing some research on HTTPS encryption and from what I understand, it looks like cookies can be sent unencrypted over HTTP even if the site is only using HTTPS if they have something called a "secure flag".  What does that mean?  My site only uses HTTPS, so this seems important.

Answer Wiki

Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

Discuss This Question: 1  Reply

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Kevin Beaver
    I see this flaw, albeit a non-critical one in most situations, quite often. It means exactly what you said - cookies can be transmitted via HTTP which might be a good thing if you're trying to protect the user session or whatever is inside the cookies.

    If you're enforcing HTTPS across your site, it shouldn't be an issue. In the event HTTPS is not being used everywhere, then simply marking the cookie as 'secure' or 'requireSSL' solves the problem and only allows cookies to be transmitted over SSL.

    For further info, check this out:
    https://www.owasp.org/index.php/SecureFlag
    20,955 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.

Following

Share this item with your network: