Sending cookies over plaintext HTTP is bad. We should stop doing that.

想都不用想，肯定隐患无数啊！通过 HTTP 传输 cookie 的隐患！一句话就是 enable HTTPS 的 cookie 设置就可以了

Cookies sent over plaintext HTTP are visible to anyone on the network. This visibility exposes substantial amounts of data to network attackers (passive or active). We know, for example, that long-lived and stable cookies have enabled pervasive monitoring in the past (see Google's PREF cookie), and we know that HTTPS provides significant confidentiality protections against this kind of attack.