Issuing non-secure cookie over a secure connection results in pseudo-secure cookie

Question

When Firefox receives a cookie via an HTTPS connection, it appears to treat it as a secure cookie, even though the server did not send it as a secure cookie.

When I inspect the cookie from within Firefox, it displays "Send For: Encrypted connections only". When Firefox sends the cookie to the server in subsequent secure requests, inspection of the cookie in Java (Cookie.getSecure()) indicates that the sent cookie is not secure. Firefox refuses to send such cookies over non-secure connections.

Konqueror exhibits the same behavior.

I'd like either to ensure that the client will send the cookie over an HTTP request or know that a particular, arbitrary cookie flagged as non-secure will never be sent as part of a non-secure request. Is there any way to do this?

Answer 1

Firefox won't automatically promote cookies to secure when received over https, nor will it not send non-secure cookies over https: http://hg.mozilla.org/mozilla-central/annotate/4daa2ea5747b/netwerk/cookie/nsCookieService.cpp#l2451 (setting the cookie) See line# 1950 for sending the cookie (stackoverflow won't let me post two URLs, sorry!)

If you look at the http header in the https response, is there a 'secure' flag in the Set-Cookie header?

If you don't specify the 'secure' flag, the cookie will be sent over both http and https. There's no way to make a non-secure cookie be sent as part of a non-secure request. (Did you mean something else?)