IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [same-site-cookies]

18 questions
46
votes
2 answers

Will same-site cookies be sufficient protection against CSRF and XSS?

I must say, that I like this idea and it seems that it will bring a new form of protection against CSRF and XSS or at least it will reduce those attacks. So, how effective will this protection be? SameSite-cookies is a mechanism for defining how…
Mirsad
  • 10,005
  • 8
  • 33
  • 53
29
votes
3 answers

Setting Same-Site cookie attribute to Lax

Is setting Same-Site attribute of a cookie to Lax the same as not setting it at all? If there are differences what are they?
user157829
  • 393
  • 1
  • 3
  • 4
21
votes
5 answers

Do I still need CSRF protection when SameSite is set to Lax?

During a security assessment I noticed that Firefox automatically set the SameSite value of a session cookie to Lax. According to the Mozilla specs, this is the case for 'modern browsers'. The SameSite attribute set to Lax seems to protect against…
Beurtschipper
  • 693
  • 4
  • 10
3
votes
2 answers

What is the connection between CORS and SameSite cookie attribute?

For most of them may be its a silly question but I want it to know this in very simple language. If an application is not using CORS at all then should we put this SameSite cookie attribute? and if Application has subdomain like abc.domain.com then…
ZeroNullByte
  • 69
  • 7
2
votes
1 answer

Why does Chrome require Secure for SameSite=None cookies?

As I understand it, the SameSite attribute for cookies helps me advise standard browsers what they can do with them. So if I'm a server running on http://acme.com/my-app and I've set a cookie like: Set-Cookie: JSESSIONID=1234567890abcdef;…
Druckles
  • 153
  • 3
2
votes
1 answer

Would "same-origin cookies" make sense?

I have read Incrementally Better Cookies, a couple of web.dev articles and tried to google for "same-origin cookies" but could not find anything so I wonder if this is being worked on. SameSite=Strict & Lax are a very good protection against CSRF…
Borek Bernard
  • 345
  • 1
  • 4
  • 11
2
votes
3 answers

Cookie set from a server to a client with different domain(via XHR), but not recognized by Client domain

I have three domains but the same code base (Domain X, Domain Y, Domain Z) and Accounts website A If a user tries to sign in accounts from domain X, I wanted to SSO in the other two domains (Browser Scenario: third party cookies blocked). I tried…
Kannan M
  • 121
  • 1
  • 3
1
vote
1 answer

Browser sends cookie with "SameSite=Strict" attribute on another domain

I am solving PortSwigger's lab: "CSRF where token is tied to non-session cookie". For testing SameSite attribute I created a cookie in my browser with SameSite=Strict for domain https://.web-security-academy.net/. Then on…
ZOOM SMASH
  • 113
  • 4
1
vote
0 answers

Is a static SameSite cookie enough to protect against CSRF?

Conventional wisdom to prevent CSRF is to use CSRF tokens, but with the new cookie attributes and prefixes, do you even need to generate/save tokens at all? I've had the thought that if I just set a cookie with a static value, I can simply test for…
a cat
  • 113
  • 1
  • 7
1
vote
1 answer

Setting httponly secure cookies in microservice architecture

I have read that storing the jwt token within the httponly secure cookie is the recommended way to prevent both csrf attacks and xss attacks. When a user goes to my website they may make an api call like so POST…
Dan
  • 13
  • 3
0
votes
0 answers

Security of the not transmitted cookie

If I have session cookie or just cookie which is Secure, HttpOnly with SameSite=Strict and is never transmitted even in requests within the same domain and the page uses TLS. Is there any attack that could catch this cookie? If so, how can this…
Szyszka947
  • 21
  • 6
0
votes
1 answer

Do I need to set up super global SESSION for a web form?

I am building a web form in PHP, is just for the user to request information about my services or send comments, so I don‘t need the user to be logged with a username and a password, no databse. I have the validation and sanitation scripts already…
limakid
  • 1
  • 1
0
votes
1 answer

Security risks to returning JWT token in the response body to a GET request?

Are there any security risks to returning a user's JWT in the response body to a GET request? The JWT is only returned for authenticated users. Authentication is managed via a JWT stored as a HttpOnly, Secure, SameSite:Lax cookie. Flow, in…
Stud Sterkel
  • 785
  • 1
  • 4
  • 6
0
votes
0 answers

I have a non-Oauth service and am using this approach with Server initiated HttpOnly cookies with stripped JWT

My question is : Is this approach correct given I have a non-Oauth service? My goal is to use the simplest amount of security features while still being as strong as possible. My approach is as follows and I am asking for feedback on whether i am…
david
  • 101
  • 1
0
votes
0 answers

I have CSRF protection implemented server side, can I safely use `SameSite=None; Secure; HttpOnly`?

We have a web service where GET is always safe and all unsafe POST requests use single-use CSRF tokens. We have some cases where cross-origin domain would need to pass us POST request with data that should be used with currently active user session…
Mikko Rantalainen
  • 513
  • 2
  • 11
1
2