Tom T. wrote:
I am hoping that the secure cookie, TLTSID, is the one that a thief would need to hijack the session, and that the insecure one is only generic information, such as OS, browser, etc. In which case, there is no cause for concern...
After clearing the above cookies, etc. with HTTPS Force in place, please visit the home page, http://www.wachovia.com
. It correctly sets an HTTPS connection, as forced. Yet this time, three insecure cookies are set, despite there never having been an HTTP connection.
Again, one hopes that these insecure cookies, OriginalReferrer, CookiesAreEnabled, and s_sess, contain nothing sensitive. ... And that the secure cookie received upon login, TLTSID, contains the goodies. So forcing HTTPS for the site, although successful in setting the HTTPS connection, still does not force all secure cookies. Please tell me that this is nothing to worry about. Thanks.