Differences between Regular & Secure Cookies.
If a browser does not support HttpOnly and a website attempts to set a HttpOnly cookie, the HttpOnly flag will be ignored by the browser, thus creating a traditional, script accessible cookie. As a result, the typically session cookie becomes vulnerable to theft of modification by malicious script.
How do Secure Cookies work exactly?
A secure cookie works by providing the server a mechanism to store and retrieve state information on the client application’s system. This mechanism allows Web-based applications the ability to store information about selected items, user preferences, registration information, and other information that can be retrieved later. They work by two related headers set-cookie and cookie. The set-cookie header is set in response to the http request, which is used to create a secure cookie on the users system. The header is included by the client application with an HTTP request sent to a server, if there is a secure cookie that has a matching domain and path.
What is an HttpOnly cookie?
This contains a special ‘HttpOnly’ flag included in the http cookie header that ensures cookies will only be used when transmitting HTTP (or HTTPS) requests.
Combined the Secure setting and and HttpOnly flag help to introduce a more robust cookie that is less prone to attacks. Combined they allow the browser to restrict access to secure cookie data from scripts within the web browser. This limits the potential damage many cross site script attacks can cause– specifically, the attacks that target cookie data.