scar writes: > i also learned, that by using a cookie editor, you cannot force a cookie > to be sent over an encrypted connection.
Which cookie editor(s) did you try? I use Add 'n' Edit Cookies, a Firefox plugin. It offers a radio button to turn the Secure attribute on or off, but I have not tested it to see if turning Secure on really works as it should. If you tested it and it didn't work, that would seem like a bug in Add 'n' Edit Cookies that the maintainer would want to know about. It seems like it should be relatively easy to make a Firefox plugin that always rewrites the Set-Cookie headers of incoming HTTP responses to have the Secure attribute, so that Firefox thinks the server set them that way. I have never written a Firefox plugin, though, so maybe it's hard. Dunno. > ultimately, i would recommend turning off cookies all together. if you > have to logon to some site, i would recommend creating a new anonymous > email to use for that purpose alone. Cookies are a fine session management mechanism, and better than some alternatives (e.g. putting a session identifier on the query string -- eek!). Web application developers just have to know how to use them correctly. > really, i don't see why the webmasters do not just set cookies to be sent > over SSL. i'm not a webmaster. but, is it really that hard? does it add > that much more overhead than they are already experiencing from using > HTTPS? or are they just ignorant, lazy? In my experience, it's mainly ignorance. Developers have often never heard of the Secure attribute, or if they have, they don't know what it means.
