MDN on cookie names

I find very little evidence that a cookie name has effect on its security. Is prependening __Secure- to a cookie name increasing security? Or is this more a code of conduct without any technical effect?

MDN on cookie names

I find very little evidence that a cookie name has effect on its security. Is prependening __Secure- to a cookie name increasing security? Or is this more a code of conduct without any technical effect?

• cookies

• 1 No, it does not increase safety and is not important. It can be used to give a better overview. The important parameters are Secure and HttpOnly. – Bademeister Commented Mar 8 at 14:34

1 Answer 1

The usage of the __Secure- prefix in the cookie name is specified in the specification draft draft-ietf-httpbis-cookie-prefixes-00.

See 3.1. The "__Secure-" prefix:

If a cookie's name begins with __Secure-, the cookie MUST be:

1. Set with a "Secure" attribute
2. Set from a URI whose "scheme" is considered "secure" by the user agent.

This is an additional safety guard implemented in the user agent (your browser). If such a cookie will be received (by the Set-Cookie header), but the Secure attribute is missing, then the cookie should be ignored. See 5.7. Storage Model of the Cookies: HTTP State Management Mechanism specification draft:

5.7. Storage Model

[...]

20. If the cookie-name begins with a case-insensitive match for the string "__Secure-", abort these steps and ignore the cookie entirely unless the cookie's secure-only-flag is true.