Ram Ram - 3 months ago 15
C# Question

Is it compulsory to add Secure Flag to a Cookie over HTTPS

Till know my site is only HTTPS and I have added cookie.SecureFlag = true . I want to open it for HTTP as well so I'm forced to remove SecureFlag to a cookie as It is not working over it. Can you please tell me will my cookie sent through HTTPS (SSL) needs a secure Flag? Will it be secured without it as well?

Answer

If you set the secure flag the cookie will only be sent to HTTPS endpoint. If you need to send the cookie to non-secure endpoints you should not use this flag although you should probably revise your design as it is considered bad practice to send authentication cookies over a non encrypted channel.

Bare in mind that it is not the secure flag that is actually securing anything inside the cookie. It is the SSL encryption which ensures that a man-in-the-middle will not be able to decrypt the value of the traffic. The secure flag only ensures that the browser will transmit the cookie over SSL.

Comments