well, my question is simple, is a cookie secure in a HTTPS conection?
+2
A:
In the connection, yes. But It's still stored on the client's machine unencrypted.
joni
2010-10-25 14:50:37
A:
Never thrust user input / session / cookies without validation.. Same for https / ssl
See also: http://stackoverflow.com/questions/606179/what-encryption-algorithm-is-best-for-encrypting-cookies
Enrico Pallazzo
2010-10-25 14:51:17
It's also worth using the secure cookie flag.
Bruno
2010-10-25 14:54:00
@Bruno oh yes of course - I'll extend the answer
Pointy
2010-10-25 14:55:47
+1
A:
Cookies are sent within the HTTP header. Thus they are as secure as the HTTPS connection which depends on a lot of SSL/TLS parameters like cipher strength or length of the public key.
Please keep in mind that unless you set the Secure flag for your Cookie, the Cookie can be transmitted over an unsecure HTTP connection. There are man-in-the-middle attacks that use such unsecure Cookies to steal session information. So, unless you have a good reason not to, always set the Secure flag for Cookies when you want them only transmitted over HTTPS.
Gerhard
2010-10-25 14:59:49