How to set cookie secure flag using javascript

2020-02-26 14:04发布

I have tried to set a cookie using document.cookie = "tagname = test; secure" but this does not set the secure flag. Am I setting it wrong? Can you only set it from a server response? I am also wondering that, because I have had a difficult time finding an example of its use, that it probably is not commonly used?

Thanks a bunch!

标签： javascript security cookies get

2条回答

甜甜的少女心

2楼-- · 2020-02-26 14:27

TL:DR

document.cookie = "tagname = test;secure";

You have to use HTTPS to set a secure attribute

The normal (or formal, maybe) name is attribute. Since the flag refers to other things.

More Info

Cookie attributes:

Secure - Cookie will be sent in HTTPS transmission only.

HttpOnly- Don't allow scripts to access cookie. You can set both of the Secure and HttpOnly.

Domain- specify the hosts to which the cookie will be sent.

Path - create scopes, cookie will be sent only if the path matches.

Expires - indicates the maximum lifetime of the cookie.

More details and practical usages. Check Testing_for_cookies_attributes_(OTG-SESS-002)

UPDATES The following contents expire in June 2, 2016.

Cookie Flags

Cookie flags are prefixes. At the moment, they are described in the RFC draft as a update to the RFC6265

These flags are used with the 'secure' attribute.

__Secure-

The dash is a part of the prefix. This flag tells the browser, the cookie should only be included in 'https'.

__Host-

A cookie with this flag

must not have 'domain' attribute, it will be only sent to the host which set it.

Must have a 'path' attribute, that is set to '/', because it will be sent to the host in every request from the host.

0人赞添加讨论(0) 举报

劳资没心，怎么记你

3楼-- · 2020-02-26 14:36

because the flag is called secure, not security:

document.cookie = "tagname = test;secure";

0人赞添加讨论(0) 举报