Setting the SSL Only Flag

Description of the Problem

One of the values in a cookie is the SSL? bit. If this bit is set to true, then the cookie will only be sent back to the server over a connection which is encrypted with SSL. If it is set to false, the cookie will be sent whenever the user visits the domain.

An example of a site which which suffers from this problem is Therefore, if a user logs into with SSL, but later visits, the authenticator will go over the network in the clear.

The risk is not too great, but anyone listening on the local network can change your phone plan, view your usage, etc.


Set the "SSL only flag." Also set the domain of the cookie to something more specific than the top level domain.

List of Sites who have suffered this problem

[Home]   [Publications]   [Cookie encyclopedia]   [Mailing list]   [FAQ]   [Contact us]

[Blue Ribbon Campaign icon]
Join the Blue Ribbon Online Free Speech Campaign!