Detailed explanation of the secure attribute of cookie_cookie

When I was working on a project today, the issue of cross-domain transfer of cookies was involved, and I also learned about an attribute of cookies - secure.

As the name suggests, this attribute is used to ensure the security of cookies.

When the secure attribute is set to true, cookies can only be uploaded to the server under the https protocol, but cannot be uploaded under the http protocol, so they will not be eavesdropped.

As a simple practice, open https://www.baidu.com and http://www.baidu.com in Chrome browser, and open the console respectively (hereinafter referred to as The console in the https page is console1, and the console in the http page is console2)

1. First enter the following code in console1

document.cookie = "name=EX;expires=60*24*7;secure=true";
Then, open Resources and you can see that the corresponding fields have been recorded in the cookie

2. Perform the same operation in console2. Now look at the Resources of the Baidu page under the http protocol. You will find that the name field is not uploaded to the server

3. What if I set secure to false?

Taking Baidu in this article as an example, the result of setting it to false is that no matter which protocol you set a cookie on the Baidu page, this field can be seen in the cookies of the Baidu pages on both sides.

This also realizes the cross-protocol transfer of cookies, but at the same time there is a certain risk of being eavesdropped.

The above is the entire content of this article. I hope it can help everyone learn about cookies.