HTTP pages are removing my secure cookies

Question

I have a site with mixed HTTP / HTTPS. When the user logs in, she gets two cookies:

• a regular cookie with her (signed) username, login expire time, and an "insecure" flag
• a secure cookie with her (signed) username, login expire time, and a "secure" flag
  • note that if you don't have the secure/insecure flag within the signed content, an attacker can intercept the regular cookie and then send it as the secure one (my first implementation made this mistake)

I use the regular cookie on HTTP pages (just for showing her name while she browses the marketing portion of the site). Then I use the secure cookie when she's on HTTPS pages (any user-specific pages).

I got the idea from Secure cookies and mixed https/http site usage.

Everything works great, except that when the user navigates from an HTTPS page to an HTTP one, all of the secure cookies get deleted - which means that they can't go back to HTTPS pages after visiting even a single HTTP page. I should mention that there is a "301 Moved Permanently" that redirects the user to from HTTPS to HTTP.

My site isn't clearing the secure cookie. I know that the browser shouldn't send me the secure cookie while the user is looking at an HTTP site, but I expected the cookie to stick around for its lifetime, and get sent if the user ends up on an HTTPS page again.

I'm getting this same behavior on Chrome, Firefox, and IE. Any tips? I hope this isn't the expected behavior...

Answer 1

Welp, that's embarassing. Here's what my problem turned out to be.

• When the user tried to visit an HTTPS site from an HTTP one, their request would start as HTTP
• I would check their login credentials (which would fail, because the secure cookie wasn't there), then redirect them to HTTPS. My "require login" and "require HTTPS" systems were separate (a bad design now, but it was convenient in the bad old days where the login cookie wasn't secure)
• I thought my secure cookie was being deleted because the Chrome cookie browser doesn't show secure cookies when the page being shown is HTTP. The cookies were there all along.