Is a cookie secure in a HTTPS connection?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
It is transmitted to and from the server encrypted, so it’s as secure as TLS is.
You can also flag a cookie as being intended only for client->server communication, and block access from client-side Javascript, by adding the “HttpOnly” flag in the “Set-cookie” response header.
edit — and as @Bruno suggests, you can also use the “secure” flag (in the same header) to tell the browser that the cookie should only be sent back to the server in https requests. As @D.W. points out in a newer comment, that can be quite important, as you almost certainly don’t want your important secured cookies probably to be transmitted on unsecured interactions (say, prior to login from a non-secure public portion of a site). If all the interactions with a particular cookie domain are HTTPS, then that might not be necessary, but it’s such a simple thing that there’s no reason not to do it.
edit — update, a long time later: use the
secureflag 🙂