How curl Handles Secure Cookies over HTTP

This article provides a clear technical overview of how the curl command-line tool and library handle cookies marked with the “Secure” attribute when communicating over unencrypted HTTP connections. It explains the security rules curl follows, how it processes incoming secure cookies over plaintext channels, and how it manages these cookies within its local cookie jar.

Transmission of Secure Cookies

When curl is instructed to send a request to an unencrypted http:// URL, it inspects its active cookie jar. If a cookie in the jar has the “Secure” flag enabled, curl will strictly refuse to send it. This behavior aligns with RFC 6265, which dictates that secure cookies must only be transmitted over encrypted connections (such as HTTPS) to protect sensitive data from being intercepted in transit by eavesdroppers.

Receiving Secure Cookies over HTTP

If an unencrypted HTTP server attempts to set a cookie with the “Secure” attribute using the Set-Cookie header, modern versions of curl will reject and ignore the cookie. Allowing an insecure connection to set a “Secure” cookie opens up vulnerabilities to cookie injection and session hijacking. Therefore, curl requires a secure HTTPS channel to accept and save a cookie marked as “Secure”.

Storage in the Cookie Jar

When curl saves cookies to a file using the --cookie-jar (or -c) option, it writes them in the standard Netscape cookie file format. In this text file, one of the columns represents a boolean flag indicating whether the cookie is secure:

• TRUE: The cookie is secure and will only be read and transmitted by curl during future HTTPS requests.
• FALSE: The cookie is insecure and curl will allow it to be sent over both HTTP and HTTPS connections.

Bypassing the Restriction for Testing

If you must force curl to send a secure cookie over an unencrypted connection for development or testing purposes, you can bypass the internal cookie engine entirely. This is achieved by manually passing the cookie as a raw header string using the --cookie (or -b) option:

curl --cookie "session_id=12345" http://example.com

Because this method bypasses the cookie jar logic, curl treats it as a standard header and transmits the data without performing any protocol security checks.