CERT put out an announcement last week regarding the risks of cookies that were established via HTTP requests and how they present a threat to HTTPS sessions, due to the fact that web browsers sometimes don’t authenticate a domain that is setting a cookie. So what does that mean? It means a savvy attacker might be able to set a cookie and use it later with an HTTPS session instead of the “real” cookie set by the site. Not a good thing.
Find out more about this and what you can do to mitigate the risk, here: