![[Blue Ribbon Campaign icon]](http://br.eff.org/br.gif)
Join the Blue Ribbon Online Free Speech Campaign!
One of the values in a cookie is the SSL? bit. If this bit is set to true, then the cookie will only be sent back to the server over a connection which is encrypted with SSL. If it is set to false, the cookie will be sent whenever the user visits the domain.
An example of a site which which suffers from this problem is sprintpcs.com. Therefore, if a user logs into sprintpcs.com with SSL, but later visits http://www.sprintpcs.com/, the authenticator will go over the network in the clear.
The risk is not too great, but anyone listening on the local network can change your phone plan, view your usage, etc.
Set the "SSL only flag." Also set the domain of the cookie to something more specific than the top level domain.
[Home]
[Publications]
[Cookie encyclopedia]
[Mailing list]
[FAQ]
[Contact us]