Security of HTTP based authentication

David Precious davidp at
Fri Jan 14 13:04:46 GMT 2011

On Thu, 2011-01-13 at 14:09 +0000, Andrew Black wrote:
> I have often wondered about that - what is the risk in mixing HTTP
> images and HTTPS text? 

One reason could be that if the web app didn't include 'secure' in the
Set-Cookie header, the session cookie could be sent in the clear for the
image requests too, assuming they're requested from the same domain as
the rest of the page.

Of course, marking the cookie as secure (to be sent only over HTTPS
requests) would take care of that, as would requesting images from a
different domain as often seen ( etc).

David Precious <davidp at> ("bigpresh")

More information about the mailing list