Cookie secure attribute description _ cookie

The secure attribute of Set-Cookie is used to handle this problem. it indicates that the created cookie can only be passed to the server by the browser in the HTTPS connection for session verification, if it is an HTTP connection, this information will not be transmitted, so it will never be heard. During the project today, we encountered the cross-origin cookie transfer issue. Therefore, we learned a cookie attribute-secure.

As the name suggests, this attribute is used to ensure cookie security.

When the secure attribute is set to true, the cookie can be uploaded to the server only under the https protocol, but cannot be uploaded under the http protocol, so it will not be eavesdropped.

In simple practice, chrome opens the https://www.baidu.com and http://www.baidu.com, respectively open the console (the console in the https page is called console1, http becomes console2)

1. enter the following code in console1:

Document. cookie = "name = EX; expires = 60*24*7; secure = true ";
Then, open Resources and you will see that the corresponding fields have been recorded in the cookie.

2. perform the same operation in console2. check the Resources on the Baidu page under http and you will find that the name field is not uploaded to the server.

3. what if I set secure to false?

In this example, if the value is set to false, this field is displayed in the cookies on both Baidu pages regardless of the protocol in which you set cookies.

Cookie transfer across protocols is achieved, but there is a certain probability of being eavesdropped.

The above is all the content in this article. I hope it will help you learn cookies.