开发者

Can a cookie be made in HTTPS, and used in HTTP if secure is false?

开发者 https://www.devze.com 2023-02-25 07:09 出处:网络
Can a cookie be made in HTTPS, and used in HTTP if secure parameter of the cookie is set false? I have a website where I only require a 开发者_运维技巧single page to be in HTTPS, such as the login or

Can a cookie be made in HTTPS, and used in HTTP if secure parameter of the cookie is set false? I have a website where I only require a 开发者_运维技巧single page to be in HTTPS, such as the login or maybe a special feature page.

I assume that the cookie will be (safe as it is transfered with SSL) although sent back as non-hashed when on a non-SSL page, is safe to assume so?


In short: yes.

Setting a cookie on an SSL secured response, but leaving out the secure flag, will make the cookie behave no different than if it was transferred over a non-SSL connection.


A cookie can be used on either HTTP or HTTPS unless it's marked a secure. If marked as secure the browser will only send it if the current request is on HTTPS.

If your current request is HTTP then cookie will be sent "in-the-clear" and may be able to be intercepted by a man-in-the-middle or by someone sniffing traffic. Google "firesheep" for an example of why this can be bad.

0

精彩评论

暂无评论...
验证码 换一张
取 消