ted ted - 20 days ago 8
HTTP Question

How does cookie "Secure" flag work?

I know that a cookie with

secure
flag won't be sent via an unencrypted connection. I wonder how this works in-depth.

Who is responsible for determining whether the cookie will be sent or not?

Answer

The client sets this only for encrypted connections and this is defined in RFC 6265:

The Secure attribute limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS) [RFC2818]).

Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie's confidentiality. An active network attacker can overwrite Secure cookies from an insecure channel, disrupting their integrity (see Section 8.6 for more details).