安全cookie和无效证书 [英] Secure cookie and invalid certificate

问题描述

是否应该将安全cookie发送到具有无效证书的HTTPS服务器？我的意思是，我有一个由HTTPS服务器提供服务的应用程序，该应用程序发送一个cookie，并在登录步骤后激活了安全标志。如果我的服务器具有无效的证书，是否应该接收cookie？这是规范化的（似乎不是），有人可以指出我该规范的相关部分吗？

Is a secure cookie supposed to be sent to an HTTPS server that have an invalid certificate? I mean, I have an application served by a HTTPS server which send a cookie with the secure flag activated after the login step. Is my server supposed to receive the cookie back if it has an invalid certificate? Is this is normalized (it seems it's not), could someone point me to the relevant part of the norm?

推荐答案

是的， 设置了安全标志的cookie仅针对受TLS / SSL保护的情况发送连接：

Yes, a cookie with Secure flag set is only sent for TLS/SSL secured connections:

如果cookie的secure-only-flag为true，则request-uri的方案必须表示安全协议（由用户代理定义）。 […]通常，如果该协议使用传输层安全性（例如SSL或TLS），则用户代理认为该协议是安全的。例如，大多数用户代理将 https视为表示安全协议的方案。

If the cookie's secure-only-flag is true, then the request-uri's scheme must denote a "secure" protocol (as defined by the user agent). […] Typically, user agents consider a protocol secure if the protocol makes use of transport-layer security, such as SSL or TLS. For example, most user agents consider "https" to be a scheme that denotes a secure protocol.

但是要建立TLS / SSL连接，仅关系证书是否受信任。证书的信任方式无关紧要，即e。是自动还是手动信任。

But to establish a TLS/SSL connection, it only matters whether the certificate is trusted. It doesn’t matter how the certificate was trusted, i. e. whether it was trusted automatically or manually.

这篇关于安全cookie和无效证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！