secure and httponly cookies

Francis Daly francis at
Mon Mar 7 22:57:05 UTC 2016

On Mon, Mar 07, 2016 at 09:50:00PM +0000, Krishna Kumar K K wrote:

Hi there,

> I have tried exactly the same as in this page:-
> proxy_cookie_path / "/; secure; HttpOnly";
> it sets the flags on the cookie in the response header, but when I refresh the page, it is sending the cookies in the requests header without these flags, it just resets it.

That sounds like it is doing exactly what it should, no?

Flags are sent by the server in Set-Cookie response headers. Cookies
are sent by the client (or not) in Cookie request headers.

What behaviour do you want that you are not seeing?

Francis Daly        francis at

More information about the nginx mailing list