Title says it all: Can cookies set using HTTP be read using HTTPS?
+2
A:
Yes, but not the other way around.
HTTP Cookies can be read by HTTP or HTTPS.
HTTPS Cookies can only be read by HTTPS, that is if you set .Secure = True
on the cookie.
Shawn Steward
2010-01-29 17:36:43
+4
A:
Cookies set with the "Secure" keyword will only be sent by the browser when connecting by a secure means (HTTPS). Apart from that there is no distinction - if "secure" is absent, the cookie may be sent over an insecure connection.
In other words, cookies that you want to protect the contents of should use the secure keyword and you should only send them from the server to the browser when the user connects via HTTPS.
- HTTP Cookie, with "Secure" will be returned only on HTTPS connections (pointless to do this)
- HTTPS Cookie, with "Secure" will be returned only on HTTPS connections
- HTTP Cookie, without "Secure" will be returned on HTTP or HTTPS connections
- HTTPS Cookie, without "Secure" will be returned on HTTP or HTTPS connections (could leak secure information)
Reference: RFC 2109 See 4.2.2 (page 4), 4.3.1
rq
2010-01-29 17:46:08
Good info... is there a spec or other reference somewhere that has this information?
Daniel Schaffer
2010-01-29 18:08:19
Good ol' RFC2109 http://www.w3.org/Protocols/rfc2109/rfc2109 Note that "HTTPS" is not mentioned, that is left unspecified there.
rq
2010-01-29 18:16:32
Thanks, added it into your answer, hope you don't mind :)
Daniel Schaffer
2010-01-29 18:25:37
Nope, probably should have done that myself! :-)
rq
2010-01-29 18:26:43