secure and httponly cookies

Krishna Kumar K K krishna at
Tue Mar 8 00:38:48 UTC 2016

I am able to modify the set-cookie header from the server to flag it secure. I am trying to do the same in the request header as well.

-----Original Message-----
From: nginx [mailto:nginx-bounces at] On Behalf Of Francis Daly
Sent: Monday, March 07, 2016 2:57 PM
To: nginx at
Subject: Re: secure and httponly cookies

On Mon, Mar 07, 2016 at 09:50:00PM +0000, Krishna Kumar K K wrote:

Hi there,

> I have tried exactly the same as in this page:-
> proxy_cookie_path / "/; secure; HttpOnly";
> it sets the flags on the cookie in the response header, but when I refresh the page, it is sending the cookies in the requests header without these flags, it just resets it.

That sounds like it is doing exactly what it should, no?

Flags are sent by the server in Set-Cookie response headers. Cookies are sent by the client (or not) in Cookie request headers.

What behaviour do you want that you are not seeing?

Francis Daly        francis at

nginx mailing list
nginx at 

More information about the nginx mailing list