In short: which versions of which common browsers don’t honor the “secure” flag for cookies? (this flag means that the browser is only supposed to send the cookie back to the server in the presence of a secure, i.e. SSL, connection)
We are working with another company, and their engineers vaguely asserted that “some browers don’t respect the secure flag, so you risk having the cookie sent over an unencrypted link”. Despite a couple hours Googling, searching newsgroups, the Microsoft Knowledgebase, and the WWW in general, I’ve been unable to find definitive info about this. Plenty of places explain what the secure flag is supposed to do - but nowhere explains in terms like, “version 5.0 of IE didn’t honor this flag, but all versions thereafter do.” The only remotely related hit I kept getting was concerning some version of Konqueror (the KDE browser included in some Linux distros)
As a check, take a look at the URL: if it begins https://, it’s using a secure protocol.
I don’t know of any browser that doesn’t adhere to this protocol (and they put up the secure flag to indicate this to you). If they went to an https:// site, it would require that the data be sent securely; if the browser isn’t doing it, it can’t talk to the site.
I suppose it could be theoretically possible for a site to use a regular http:// address and start it with https://, but browsers are designed to go into secure mode if they see the https://, so it wouldn’t work.
RealityChuck thanks for the response, but that’s not what I am asking. I am specifically wondering about browsers honoring the ‘secure’ flag that can be applied to cookies, as describe in the cookie spec.
In my experiments, I was unable to persuade IE, Netscape or Mozilla to transmit a cookie flagged as ‘secure’ over http - but that’s far from conclusive.