What is Secure HTTP cookie?
HTTP cookie as defined in RFC 6265 can be set with a Secure
flag which tells the browser to never send this cookie back to the server unless accessed over TLS-protected https://
link. For example:
Set-Cookie: name=value; Secure
Logically, the Secure cookies should be only set by TLS websites, but due to a number of broken insecure (http://
) websites setting such cookies new browsers introduced strict secure cookies policy, which effectively ignores any cookies with Secure flag set on non-TLS websites.