How to set cookie secure flag using javascript
JavascriptSecurityCookiesGetJavascript Problem Overview
I have tried to set a cookie using document.cookie = "tagname = test; secure"
but this does not set the secure flag. Am I setting it wrong? Can you only set it from a server response? I am also wondering that, because I have had a difficult time finding an example of its use, that it probably is not commonly used?
Thanks a bunch!
Javascript Solutions
Solution 1 - Javascript
TL:DR
document.cookie = "tagname = test;secure";
You have to use HTTPS to set a secure attribute
The normal (or formal, maybe) name is attribute. Since the flag refers to other things.
More Info
Cookie attributes:
>Secure - Cookie will be sent in HTTPS transmission only. > >HttpOnly- Don't allow scripts to access cookie. You can set both of the Secure and HttpOnly. > >Domain- specify the hosts to which the cookie will be sent. > >Path - create scopes, cookie will be sent only if the path matches. > >Expires - indicates the maximum lifetime of the cookie.
More details and practical usages. Check Testing_for_cookies_attributes_(OTG-SESS-002)
UPDATES The following contents expire in June 2, 2016.
Cookie Flags
Cookie flags are prefixes. At the moment, they are described in the RFC draft as a update to the RFC6265
These flags are used with the 'secure' attribute.
__Secure-
>The dash is a part of the prefix. This flag tells the browser, the cookie should only be included in 'https'.
__Host-
A cookie with this flag
>1. must not have 'domain' attribute, it will be only sent to the host which set it. > >2. Must have a 'path' attribute, that is set to '/', because it will be sent to the host in every request from the host.
Solution 2 - Javascript
This cookie package is easy to use @ https://www.npmjs.com/package/js-cookie
//to set cookie use
Cookies.set('name', 'value', { expires: 7, path: '' });
//to read the cookie, use
Cookies.get('name'); // => 'value'
//to delete cookie this
Cookies.remove('name')
//to set secure cookie this
Cookies.set('name', 'value', { secure: true });
Solution 3 - Javascript
because the flag is called secure
, not security:
document.cookie = "tagname = test;secure";