Cookies set with the keyword "Safe" will be sent by the browser when connected using a secure tool (HTTPS). Apart from this, there is no difference - if "secure" is absent, a cookie can be sent over an insecure connection.
In other words, the cookies for which you want to protect the content should use a secure keyword, and you should only send them from the server to the browser when the user connects via HTTPS.
- HTTP : Protected cookies will only be returned on HTTPS connections (pointless to do, see note below)
- HTTPS : Secure cookies will only be returned on HTTPS connections.
- HTTP : cookie without "secure" will be returned in HTTP or HTTPS connections
- HTTPS : cookie without "secure" will be returned to HTTP or HTTPS information)
Ref: RFC 2109 See 4.2.2 (p. 4), 4.3.1
Note. It is no longer possible to set βsecureβ cookies on top of unsafe (like HTTP) sources in Firefox and Chrome after they have implemented the Strict Safe Cookies specification.
richq Jan 29 2018-01-29 17:46
source share