http - Session Cookie secure/httponly

Question

I was searching the internet quite a time but I didn't find a satisfying answer to my question.

I have to get a json object from a certain http site. I do this with a get-request over http (site is available only over http). The site responds with a session cookie:

Set-Cookie: session_id=95656983e1feaff45a000aa7f2f9093a1ea4b1c3; expires=Fri, 20 Apr 2018 14:00:51 GMT; httponly; Max-Age=3600; Path=/; secure

My first question is why the cookie is sent over http when httponly & secure flag are set??

After I get the json object I have to do some fancy stuff and send a json object back to an other site of the same domain. Also this site is available only via http. (I do the requests in python with python-requests and use requests.session() for dealing with the cookies so no problem there). When I look through the header of my request with mitmproxy I see that no cookie is set and the page responds with "WHERE'S MY COOKIE??"

I think the problem is with httponly & sercur flag. I just don't know how to deal with it because the page is only available over http and not https?

Answer 1

Secure attribute instructs the client/browser to only return the cookie when using a secure channel, but such a cookie can be set by the application/server on to the client/browser over normal HTTP. You are correct the secure flag is causing the problem and AFAIK there is no way to work around it