As stated, a cookie can have a Secure flag.
If true
, the cookie is only sent by the browser for HTTPS requests.
If false
, the cookie is sent by the browser for both HTTP and HTTPS requests.
There is no setting for transmission solely on HTTP. The HTTPOnly flag simply stops it being accessible via JavaScript and other client-side languages, it does not affect its HTTP/HTTPS behaviour.
So by setting Secure
to false, the cookie will be transmitted both encrypted and decrypted depending on the current protocol.
This is not recommended as the cookie value could be sniffed if sent over the HTTP connection, or forced to by an attacker (e.g. the attacker simply linking to the HTTP site in an image tag on their site will cause the value to be leaked - <img src="http://www.example.com/img.jpg" />
).