Who’s re-baking my cookies?

While tinkering with JavaScript at work for a performance-optimization, we encountered an annoying cookie-related problem. We wanted to check if a certain name/value was present in the cookie and not do “complicated and unneeded backend stuff” if it was not. But that didn’t always work, because in some browsers the cookie had the secure flag set and the JS-check was done while in HTTP.

It took some time, digging and soul-searching, but it turned out to work fine for all but me. The reason: NoScript! My favorite Firefox Addon has, so I learned, “Automatic Secure Cookie Management” as a countermeasure against HTTPS cookie hijacking (by setting cookies “secure” if they’re set in HTTPS and if they contain something resembling a session-id?). And that feature indeed can break stuff.

So if you’re using NoScript and you’re running into weird cookie-related problems: try with “Automatic Secure Cookie Management” turned off, or add the site you’re on as an exception and you might be good to go.