It doesn't look like relevant forum, but I couldn't find anything better matching. So, what's is browser behavior if it receives session cookie over https without secure attribute? Will such cookie be accepted, rejected? Can somebody also give an idea how session cookie be hijacked over https?
Ahother concern is about tightening a session cookie with client IP. Is it something that supported by any
servlet container? Is it reasonable?