-
some hrefs are hardcoded referencing the host, like https://glocken.hacking-lab.com/12001/cookie_case2/cookie2/controller?action=profile
-
some hrefs are formed like
controller?action=showpage&page=contact
-
the second one is actually the better choice, as long as the whole site is only accessible via https (because the host is not hardcoded)
-
if the page is available over http as well, these hrefs are leaking the cookies
-
only allow access to the whole page via https
-
set the cookie as secure (so that it is only send in https context)