Hi, Regarding MYFACES-3177 - Add secure flag for cookies if the page is accessed over a secured connection
https://issues.apache.org/jira/browse/MYFACES-3177 What is the rational reason behind this fix? Is there any major issue for not having the Secure flag in the flash cookies when sending in HTTPS? Or is it because most cookies, which are sent in HTTPS, are recommended to have the Secure flag by RFC As I understand, secured/encrypted connection does encrypt its data (including headers). So even without the secure flag, the cookie will still be encrypted. Regards,