I have a site with mixed HTTP / HTTPS. When the user logs in, she gets two cookies:

• a regular cookie with her (signed) username, login expire time, and an "insecure" flag
• a secure cookie with her (signed) username, login expire time, and a "secure" flag
  • note that if you don't have the secure/insecure flag within the signed content, an attacker can intercept the regular cookie and then send it as the secure one (my first implementation made this mistake)

I use the regular cookie on HTTP pages (just for showing her name while she browses the marketing portion of the site). Then I use the secure cookie when she's on HTTPS pages (any user-specific pages).

I got the idea from Secure cookies and mixed https/http site usage.

Everything works great, except that when the user navigates from an HTTPS page to an HTTP one, all of the secure cookies get deleted - which means that they can't go back to HTTPS pages after visiting even a single HTTP page. I should mention that there is a "301 Moved Permanently" that redirects the user to from HTTPS to HTTP.

My site isn't clearing the secure cookie. I know that the browser shouldn't send me the secure cookie while the user is looking at an HTTP site, but I expected the cookie to stick around for its lifetime, and get sent if the user ends up on an HTTPS page again.

I'm getting this same behavior on Chrome, Firefox, and IE. Any tips? I hope this isn't the expected behavior...