Can cookies set using HTTP be read using HTTPS?

Question

0

Editorial Team

Asked: May 13, 20262026-05-13T14:04:45+00:00 2026-05-13T14:04:45+00:00

Can cookies set using HTTP be read using HTTPS?

0

Can cookies set using HTTP be read using HTTPS?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-13T14:04:45+00:00

Cookies set with the “Secure” keyword will only be sent by the browser when connecting by a secure means (HTTPS). Apart from that there is no distinction – if “secure” is absent, the cookie may be sent over an insecure connection.

In other words, cookies that you want to protect the contents of should use the secure keyword and you should only send them from the server to the browser when the user connects via HTTPS.

HTTP: Cookie with “Secure” will be returned only on HTTPS connections (pointless to do, see note below)
HTTPS: Cookie with “Secure” will be returned only on HTTPS connections
HTTP: Cookie without “Secure” will be returned on HTTP or HTTPS connections
HTTPS: Cookie without “Secure” will be returned on HTTP or HTTPS connections (could leak secure information)

Reference: RFC 2109
See 4.2.2 (page 4), 4.3.1

Note: It is no longer possible to set “secure” cookies over insecure (e.g. HTTP) origins on Firefox and Chrome after they implemented the Strict Secure Cookies specification.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Can cookies set using HTTP be read using HTTPS?

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply