... but, if the server-side software is implemented at all properly, the cookie won't work. Browsers won't serve https cookies to non-https sites and vice-versa; not even if the URL is the same. Most session-handling packages on the server side also recognize the difference between secure and non-secure and will neither issue nor accept the same cookie value in both sides.
Cookies, IMHO, should always be random, salted values that are aggressively tested on the server side. The IP-address should be the one to which they were issued; the protocol and security should be the same; the token should not be too old. And so on. Session management packages which do these things are readily available, and should be used.
Cookies, of course, should never "contain" information. All such things should be stored in server-side session storage. Furthermore, care must be taken to ensure that client-side data and scripts(!) are never "trusted." Even in HTTPS mode.
Last edited by sundialsvcs; 02-14-2016 at 07:21 PM.
|