Secure & HTTP Only Flag on Cookie

Hi,

As a reminder, a cookie is usually created on the browser at the request of the web server to store a report, which will then be retransmitted on the next requests. For this purpose,

the web server uses the Set-Cookie header in an HTTP response

So about your asked, Should the request cookies have the secure flag set?

It doesn't really work that way. The flags are only present in the Set-Cookie header (the response).

When the client (a browser) receives a Set-Cookie header, it will store the flags together with the cookie value, but only for its own usage (so that the browser itself can know when and where to send the cookie value if necessary).

The Cookie header (request) cannot contain flags; it is only a list of = pairs and when you (the server) receive them, you're not even guaranteed to have set them yourself.

However, excluding the possibility of really horrible browser bugs, you can be sure that if you set the "secure" flag for a cookie in your response, the receiving browser won't send it over a non-encrypted connection. It's not really 100% guaranteed, but it's really the only option you have and the pretty much the whole web relies on browsers behaving properly, so you're not alone in that.

So your behaviour is normal.

hope it's clear. keep me in touch!!! regards,