Home/ Questions/Q 7622429
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T04:27:06+00:00

Is a secure cookie supposed to be sent to an HTTPS server that have

  • 0

Is a secure cookie supposed to be sent to an HTTPS server that have an invalid certificate? I mean, I have an application served by a HTTPS server which send a cookie with the secure flag activated after the login step. Is my server supposed to receive the cookie back if it has an invalid certificate? Is this is normalized (it seems it’s not), could someone point me to the relevant part of the norm?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Yes, a cookie with Secure flag set is only sent for TLS/SSL secured connections:

    If the cookie’s secure-only-flag is true, then the request-uri’s scheme must denote a "secure" protocol (as defined by the user agent). […] Typically, user agents consider a protocol secure if the protocol makes use of transport-layer security, such as SSL or TLS. For example, most user agents consider "https" to be a scheme that denotes a secure protocol.

    But to establish a TLS/SSL connection, it only matters whether the certificate is trusted. It doesn’t matter how the certificate was trusted, i. e. whether it was trusted automatically or manually.

    • 0