The Secure cookie flag stops cookies being sent over HTTP. The HTTPOnly flag stops JavaScript from accessing cookies.

Is it a realistic guideline that HTTPS only sites always use Secure and HTTPOnly cookies? What about mixed HTTPS and HTTP sites? What are the disadvantages?

Obviously if you need the cookie on both your HTTPS and HTTP pages, as well as JavaScript access for your site to work you couldn't use those flags, but would a well designed site ever need to do this?

The Secure cookie flag stops cookies being sent over HTTP. The HTTPOnly flag stops JavaScript from accessing cookies.

Is it a realistic guideline that HTTPS only sites always use Secure and HTTPOnly cookies? What about mixed HTTPS and HTTP sites? What are the disadvantages?

Obviously if you need the cookie on both your HTTPS and HTTP pages, as well as JavaScript access for your site to work you couldn't use those flags, but would a well designed site ever need to do this?

• javascript
• security
• cookies
• https
• xss

• My opinion is: don't mix, use HTTPS everywhere whenever you can. You would be amazed if you know how many MITM attack there is. Some JavaScript features is getting pushed over to HTTPS only - like getUserMedia, and geolocation for example. they won't be available to http sites – Endless Commented Nov 19, 2015 at 12:10
• OK, but what would you remend for sites that mix HTTP and HTTPS? Lots of sites are still stuck with this for whatever reason so I'm wondering how cookie flags are used in that situation too. – fstr Commented Nov 19, 2015 at 12:21
• Worth reading deprecating powerful features on insecure origins - a reason to why you need to use https – Endless Commented Nov 20, 2015 at 10:39

2 Answers 2

Is it a realistic guideline that HTTPS only sites always use Secure and HTTPOnly cookies?

Yes.

What about mixed HTTPS and HTTP sites?

Don't create mixed HTTPS/HTTP sites. Just… don't.

CPU is no longer so expensive that using HTTPS everywhere is a serious overhead. Search engines treat HTTPS-only as a positive ranking indicator.

What are the disadvantages?

There aren't any.

If you really need to access a cookie from plain HTTP or from JS, then you can turn off the setting. That's the point of guidelines, you can break them when there is a good reason. There just very rarely is in this case.

There is a similar question on the Information Security stackexchange site. Jonathan's answer includes the following - "For HTTP Only, you might want javascript to interact with the cookie. Maybe you track page state in a cookie, write to the cookie with JS, and read from JS." In other words, HTTPOnly can interfere if you want to maintain a user's UI preferences across sessions using cookies.