Safe cookie and invalid certificate
Is it a secure cookie to be sent to an HTTPS server with an invalid certificate? I mean, I have an application served by an HTTPS server that sends a cookie with a secure flag activated after the login step. Is my server supposed to receive a cookie if it has an invalid certificate? This is normalized (it seems not), can someone point me to the relevant part of the norm?
source to share
Yes, a cookie with a set of flags is only sent for secure TLS / SSL connections :
If the cookie secure-only flag is true, then the request-uri scheme must denote a "secure" protocol (as defined by the user agent). [...] Generally, user agents consider a protocol secure if the protocol uses transport layer security such as SSL or TLS. For example, most user agents consider "https" to be a schema that denotes a secure protocol.
But for establishing a TLS / SSL connection, it is only important if the certificate is trusted. It doesn't matter how you trust the certificate, i.e. That is, whether it was automatically or manually trusted.
source to share
Whether the certificate is valid or not is really irrelevant. If an invalid certificate is found while browsing to the site, most browsers will inform the user that the certificate is invalid and let the user decide if they want to proceed or not.
Regarding the "secure" part of the cookie, all it does is tell the browser that the cookie is only valid for https connections and should not be transmitted over normal http connections.
This means that yes, your server should receive the cookie from the browser, assuming the URL being accessed is an https URL. Even if the server certificate is invalid.
source to share
Also this is a statement in RFC 2965 , which is deprecated by RFC 6265:
The user agent (possibly with user interaction) MAY determine what level of security it considers appropriate for "safe" cookies. The Secure attribute should be viewed as a server to the user agent, indicating that it is in the session of interest to protect the cookie content. When it sends a "secure" cookie back to the server, the user agent MUST use at least the same security level as when it receives the cookie from the server.
source to share