How can I check that my cookies are only sent over encrypted https and not http?
The cookies secure flag looks like this:
secure;
That's it.
This should appear at the end of the Http header: 出现在HttpResponse的Header里面
Set-Cookie: mycookie=somevalue; path=/securesite/; Expires=12/12/2010; secure; httpOnly;
Of course, to check it, simply plug in any proxy or sniffer (I use the excellent Fiddler) and watch...
*Bonus: I also threw in there the httpOnly attribute, protects against cookie access from Javascript space, e.g. via XSS.
下面的demo
HTTP/1.1 302 Found
Cache-Control: private,no-cache,no-store
Content-Type: text/html; charset=utf-8
Location: /UK_60_Dev_Admin/Edenred/Home
Server: Microsoft-IIS/10.0
Set-Cookie: AdminSession=hg3heuwrkvjbs33splammvam; path=/; secure; HttpOnly; SameSite=Lax
Set-Cookie: AdminSite=AFE9723AD316A7B77211552AE4E7913717B1FBA4C87DD997FD23950625C98F643F6A2F486247F893E9C8057CF047DF2D2CE47DEFD8B1EB5DFB676E02B00CFA3B3BE17FC0386F10576BB80B03B5F9CD737DBF37D52599BB80F9072E506DF8357E86807C4321094A81009B49F5C1AB0DF0F24360BAE10713A83E3C40EAD5FECCEB4C814FEC394C4EF4F386C849885A51F14A1D3A16D1E444F429D249BF1DBD457745C17BF0A70DAA47230FDA836CE8D55A5F915AA6B0CA17C5693CB79D89B3C12FF0E8D652EE12739BA1D15D4333641F8115676C84DEC2A83F326A199F69D2EAD08FE6BB8ACEF0BB917FCB938E5AB2B3DFBCE2B60C6AD0E019FD7A036E2CF9FDD4A5DCC69746BD602738BF7AE5657D1CE3AAE6E63C1BE23B0C905DB779; path=/; secure; HttpOnly
X-Powered-By: ASP.NET
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Date: Tue, 07 Sep 2021 03:38:06 GMT
Content-Length: 146