Is a static SameSite cookie enough to protect against CSRF?

Asked Aug 13 '21 at 19:28

Active Aug 13 '21 at 20:36

Viewed 377 times

Conventional wisdom to prevent CSRF is to use CSRF tokens, but with the new cookie attributes and prefixes, do you even need to generate/save tokens at all?

I've had the thought that if I just set a cookie with a static value, I can simply test for its existence, since SameSite ensures it won't be sent on cross-site requests, and the __Host- prefix prevents tampering via MITM and subdomain attacks.

Set-Cookie: __Host-AntiCSRF=yes; SameSite=Strict; Secure; Path=/

Would setting such a cookie fully protect me from CSRF, even if the value is static/guessable instead of a session token?

edited Aug 13 '21 at 20:36

asked Aug 13 '21 at 19:28

a cat

It strikes me that some older browsers don't support SameSite cookies so you still need to have a CSRF token in the form. – Fire Quacker Aug 13 '21 at 19:34
2

Does this answer your question? [Will same-site cookies be sufficent protection against CSRF and XSS?](https://security.stackexchange.com/q/121971/129883) – Fire Quacker Aug 16 '21 at 13:58

Is a static SameSite cookie enough to protect against CSRF?

0 Answers0