I think the concern is that HTTPS is necessary, but not sufficient for security. If you use HTTPS on your site, but send cookies without the secure flag, then it is possible for someone to trick the user into acquiring (or otherwise obtain) standard HTTP content. Setting the secure flag requires that all content sent relative to the cookie be from HTTPS. Hopefully, that makes some sense.
5 comments
[ 2.9 ms ] story [ 25.2 ms ] threadSee http://enablesecurity.com/2008/08/11/surf-jack-https-will-no... for more information. The Internet -- it's a fragile thing.
(oops, I was referring to the link in the "surf jacking" comment below/above by sd)