When I look in the code for setting the session ids I see the code below. I am confused as I understood that the purpose of setting the Secure flag on a cookie was to indicate that the cookie should only be sent on a secure connection. In the code below we only set the this flag of the connection is already secure. How does this serve the purpose of preventing the session id being sent over an insecure connection?
I am still trying to think through whether it even matters? Are we vulnerable to 'main the middle' attacks if the session id is sent as clear text?
if (httpRes != null)
httpRes.Cookies.AddPermanentCookie(SessionFeature.PermanentSessionId, sessionId,
(HostContext.Config.OnlySendSessionCookiesSecurely && req.IsSecureConnection));
What is the point of sending a "secure" cookie in an unsecured response? That probably means that HTTPS is not available on your server and the client would subsequently make a request on an unsecured HTTP connection anyway. So even if you instructed the client to only send cookies over HTTPS connections, the fact that the current connection is not HTTPS means the next connection probably won't be either and the client would not send the cookie back to the server. So whether you're not setting the cookie in the first place or the client is not sending it back subsequently makes little difference.
Now, if you say you want to set the cookie over HTTP but only receive it over HTTPS, you're missing the point of secure cookies. If the cookie is ever transmitted over HTTP at any point, its security cannot be guaranteed and it's as good as if you didn't use secure cookies in the first place.
So, ignoring the secure flag unless the currently connection is actually secure makes perfect sense and is good practice. Arguably it should raise an exception or something instead of simply ignoring it and silently introducing insecurities though.