Secure flag - JavaScript Cookies

[Chizl]

So in JavaScript its written that we can use the ";secure" flag to set HTTPS only cookies. However, I'm not on SSL when I'm running debug locally and I find the cookie is still being written. Is this a bug or something I'm doing wrong?

Code:

var expDate = new Date();
expDate.setDate(expDate.getDate() + 365);
document.cookie = "mainFrameSize=" + 
            escape(document.getElementById("mainFrame").cols) + 
            ";expires=" + expDate.toGMTString() + ";secure";

Edit: Using IE 7 on WinXP

[Chizl]

My problem was it was writting secure, when I wasn't on a secure connection. Then my server side code couldn't delete the cookie, because it would only pull unsecure cookies.

I ended up doing a quick check to see if connection was secure and if so then add the secure; else I skip it.

This works for now, but I think there is a bug here.

Code:

var expDate = new Date();
expDate.setDate(expDate.getDate() + 365);

var exireDate = "expires=" + expDate.toGMTString() + ";"
var framesize = "mainFrameSize=" + escape(document.getElementById("mainFrame").cols) + ";";
var secureit = "secure;";		
var allValues = framesize + exireDate;

if(isSecure())
         allValues += secureit;

document.cookie = allValues;

function isSecure() 
{    
         return window.location.protocol == 'https:'; 
}