52

I read a blog post GitHub moves to SSL, but remains Firesheepable that claimed that cookies can be sent unencrypted over http even if the site is only using https. They write that a cookie should be marked with a "secure flag", but I don't know how that flag look like.

How can I check that my cookies are only sent over encrypted https and not over unencrypted http, on my site that is only using https?

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
Jonas
  • 5,163
  • 7
  • 33
  • 35

3 Answers3

52

The cookies secure flag looks like this:

secure;

That's it.
This should appear at the end of the Http header:

Set-Cookie: mycookie=somevalue; path=/securesite/; Expires=12/12/2010; secure; httpOnly;

Of course, to check it, simply plug in any proxy or sniffer (I use the excellent Fiddler) and watch...

*Bonus: I also threw in there the httpOnly attribute, protects against cookie access from Javascript space, e.g. via XSS.

AviD
  • 72,708
  • 22
  • 137
  • 218
22

You can check using a tool like Firebug (an extension for Firefox: http://getfirebug.com/). The cookie will display as 'secure'.

Also if you're in Firefox you can look in the 'Remove Individual Cookies' window to be certain.

From a development point of view, a 'secure' cookie is the same as a regular one, but has an extra parameter in it. e.g.

SessionId=blah; path=/; secure; HttpOnly

Your development framework with hopefully support adding this easily - let us know what platform you're using if you need help.

While you're there, I'd suggest adding the HttpOnly flag as well if you're not manipulating cookies in Javascript, it will give the cookies additional protection from some XSS attacks.

Scott Pack
  • 15,217
  • 5
  • 62
  • 91
KirkJ
  • 421
  • 3
  • 3
5

You could also use google chrome's plugin for achieving this a very good is Advance REST Client

A sample output looks like this:

Connection: keep-alive
Strict-Transport-Security: max-age=31536000
Content-Type: application/json
Content-Length: 104
X-Content-Type-Options: nosniff
Server: WEBrick/1.3.1 (Ruby/2.0.0/2015-12-16)
Date: Thu, 25 Aug 2016 07:15:57 GMT
Set-Cookie: your.cookie.name=some-hash-uuid-here; domain=your-backend-hostname.com; path=/; expires=Sat, 24 Sep 2016 07:15:57 -0000; HttpOnly; secure
Via: 1.1 vegur

As you see at the end of the 'Set-Cookie' attribute's value you will see the word 'secure' as commented several times on the previous answers, but also notice how there is an attribute called 'Strict-Transport-Security' which is important to mention.

d1jhoni1b
  • 151
  • 1
  • 3