Another less commonly used attribute of cookies is Secure. When this attribute is enabled, the browser will only send the cookie content to the server in an HTTPS request. If there is a very sensitive business in your application, such as login or payment, you need to use HTTPS to ensure the security of content transmission; and after the user successfully obtains authorization, if the obtained client identity cookie is not set to Secure, then it is very important. It may be obtained from non-HTTPS pages, resulting in important identity disclosure. So, in your Web site, if you use SSL, then you need to carefully check the Cookie value returned in the SSL request, whether the Secure attribute is specified.
In CAS or other web development, the concept of secure cookies will be encountered, because TGTs in CAS are stored in secure cookies.
The following is an understanding of secure cookies:
The secure attribute of Set-Cookie is used to deal with this situation. It means that the created cookie can only be passed by the browser to the server for session verification in the HTTPS connection. If it is an HTTP connection, this information will not be passed, so absolutely Won't be bugged~~~hearing!!! to.
In the case of setSecure(true); only https is passed to the server side. http is not delivered