2013年8月1日 星期四

Cookie 在 HTTP 和 HTTPS 間的使用限制

在相同 Domain 的情況下:
  • HTTP Cookie, with "Secure" will be returned only on HTTPS connections (pointless to do this)
  • HTTPS Cookie, with "Secure" will be returned only on HTTPS connections
  • HTTP Cookie, without "Secure" will be returned on HTTP or HTTPS connections
  • HTTPS Cookie, without "Secure" will be returned on HTTP or HTTPS connections (could leak secure information)

Reference:
http://stackoverflow.com/questions/2163828/reading-cookies-via-https-that-were-set-using-http
RFC2965 3.3

沒有留言:

張貼留言