我知道带有 secure 标志的 cookie 不会通过未加密的连接发送。我想知道这是如何深入运作的。
谁负责确定是否发送 cookie?
最佳答案
客户端仅为加密连接设置此项,这在 RFC 6265 中定义:
The Secure attribute limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS) [RFC2818]).
Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie's confidentiality. An active network attacker can overwrite Secure cookies from an insecure channel, disrupting their integrity (see Section 8.6 for more details).
关于http - cookie "Secure"标志如何工作?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/13729749/